package com.caucho.vfs;

import com.caucho.config.ConfigException;
import com.caucho.env.service.RootDirectorySystem;
import com.caucho.hessian.io.Hessian2Input;
import com.caucho.hessian.io.Hessian2Output;
import com.caucho.util.IoUtil;
import com.caucho.util.L10N;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/caucho/vfs/JsseSSLFactory.class */
public class JsseSSLFactory implements SSLFactory {
    private static final Logger log = Logger.getLogger(JsseSSLFactory.class.getName());
    private static final L10N L = new L10N(JsseSSLFactory.class);
    private static Method _honorCipherOrderMethod;
    private static Method _getSSLParametersMethod;
    private static final Method _setSSLParameters;
    private Path _keyStoreFile;
    private String _alias;
    private String _password;
    private String _verifyClient;
    private String _keyStorePassword;
    private String _keyManagerAlgorithm;
    private String _keyManagerProvider;
    private Path _trustStoreFile;
    private String _trustStorePassword;
    private String _trustStoreAlgorithm;
    private String _trustStoreProvider;
    private String[] _cipherSuites;
    private String[] _cipherSuitesForbidden;
    private String[] _protocols;
    private String _selfSignedName;
    private Boolean _isHonorCipherOrder;
    private KeyStore _keyStore;
    private KeyStore _trustStore;
    private String _keyStoreType = "jks";
    private String _keyManagerFactory = "SunX509";
    private String _trustStoreType = "jks";
    private String _sslContext = "TLS";

    public void setCipherSuites(String[] strArr) {
        this._cipherSuites = strArr;
    }

    public void setCipherSuitesForbidden(String[] strArr) {
        this._cipherSuitesForbidden = strArr;
    }

    public void setKeyStoreFile(Path path) {
        this._keyStoreFile = path;
    }

    public Path getKeyStoreFile() {
        return this._keyStoreFile;
    }

    public void setPassword(String str) {
        this._password = str;
    }

    public String getPassword() {
        return this._password;
    }

    public void setAlias(String str) {
        this._alias = str;
    }

    public String getAlias() {
        return this._alias;
    }

    public void setVerifyClient(String str) {
        this._verifyClient = str;
    }

    public String getVerifyClient() {
        return this._verifyClient;
    }

    public void setKeyManagerFactory(String str) {
        this._keyManagerFactory = str;
    }

    public void setKeyManagerAlgorithm(String str) {
        if ("".equals(str)) {
            this._keyManagerAlgorithm = null;
        } else {
            this._keyManagerAlgorithm = str;
        }
    }

    public void setKeyManagerProvider(String str) {
        if ("".equals(str)) {
            this._keyManagerProvider = null;
        } else {
            this._keyManagerProvider = str;
        }
    }

    public void setSelfSignedCertificateName(String str) {
        this._selfSignedName = str;
    }

    public void setSSLContext(String str) {
        this._sslContext = str;
    }

    public void setKeyStoreType(String str) {
        this._keyStoreType = str;
    }

    public void setKeyStorePassword(String str) {
        if ("".equals(str)) {
            this._keyStorePassword = null;
        } else {
            this._keyStorePassword = str;
        }
    }

    public void setTrustStoreAlgorithm(String str) {
        if ("".equals(str)) {
            this._trustStoreAlgorithm = null;
        } else {
            this._trustStoreAlgorithm = str;
        }
    }

    public void setTrustStoreProvider(String str) {
        if ("".equals(str)) {
            this._trustStoreProvider = null;
        } else {
            this._trustStoreProvider = str;
        }
    }

    public void setTrustStorePassword(String str) {
        if ("".equals(str)) {
            this._trustStorePassword = null;
        } else {
            this._trustStorePassword = str;
        }
    }

    public void setTrustStoreType(String str) {
        this._trustStoreType = str;
    }

    public void setTrustStoreFile(Path path) {
        this._trustStoreFile = path;
    }

    public void setProtocol(String str) {
        this._protocols = str.split("[\\s,]+");
    }

    public Boolean getHonorCipherOrder() {
        return this._isHonorCipherOrder;
    }

    public void setHonorCipherOrder(Boolean bool) {
        if (_honorCipherOrderMethod == null) {
            log.log(Level.WARNING, "honor-cipher-order requires JDK 1.8");
        }
        this._isHonorCipherOrder = bool;
    }

    public void setKeyStoreInstance(KeyStore keyStore) {
        this._keyStore = keyStore;
    }

    public void setTrustStoreInstance(KeyStore keyStore) {
        this._trustStore = keyStore;
    }

    @PostConstruct
    public void init() throws ConfigException, IOException, GeneralSecurityException {
        String str = this._keyStorePassword;
        if (str == null) {
            str = this._password;
        }
        if (this._keyStore == null) {
            if (this._keyStoreFile != null && this._password == null && this._keyStorePassword == null) {
                throw new ConfigException(L.l("'password' or 'key-store-password' is required for JSSE."));
            }
            if (this._password != null && this._keyStoreFile == null) {
                throw new ConfigException(L.l("'key-store-file' is required for JSSE."));
            }
            if (this._alias != null && this._keyStoreFile == null) {
                throw new ConfigException(L.l("'alias' requires a key store for JSSE."));
            }
            if (this._keyStoreFile == null && this._selfSignedName == null) {
                throw new ConfigException(L.l("JSSE requires a key-store-file or a self-signed-certificate-name."));
            }
            if (this._keyStoreFile == null) {
                return;
            } else {
                this._keyStore = createKeyStore(this._keyStoreType, this._keyStoreFile, str);
            }
        }
        if (this._alias != null) {
            String str2 = this._password;
            if (str2 == null) {
                str2 = this._keyStorePassword;
            }
            Key key = this._keyStore.getKey(this._alias, getPasswordChars(str2));
            if (key == null) {
                throw new ConfigException(L.l("JSSE alias '{0}' does not have a corresponding key.", this._alias));
            }
            Certificate[] certificateChain = this._keyStore.getCertificateChain(this._alias);
            if (certificateChain == null) {
                throw new ConfigException(L.l("JSSE alias '{0}' does not have a corresponding certificate chain.", this._alias));
            }
            this._keyStore = KeyStore.getInstance(this._keyStoreType);
            this._keyStore.load(null, getPasswordChars(str));
            this._keyStore.setKeyEntry(this._alias, key, getPasswordChars(str2), certificateChain);
        }
    }

    private static KeyStore createKeyStore(String str, Path path, String str2) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(str);
        ReadStream openRead = path.openRead();
        try {
            keyStore.load(openRead, getPasswordChars(str2));
            openRead.close();
            return keyStore;
        } catch (Throwable th) {
            openRead.close();
            throw th;
        }
    }

    private static char[] getPasswordChars(String str) {
        if (str != null) {
            return str.toCharArray();
        }
        return null;
    }

    @Override // com.caucho.vfs.SSLFactory
    public QServerSocket create(InetAddress inetAddress, int i) throws IOException, GeneralSecurityException {
        SSLServerSocketFactory createAnonymousFactory;
        if (this._keyStore != null) {
            SSLContext sSLContext = SSLContext.getInstance(this._sslContext);
            KeyManagerFactory keyManagerFactory = (this._keyManagerAlgorithm == null && this._keyManagerProvider == null) ? KeyManagerFactory.getInstance(this._keyManagerFactory) : KeyManagerFactory.getInstance(this._keyManagerAlgorithm, this._keyManagerProvider);
            String str = this._password;
            if (str == null) {
                str = this._keyStorePassword;
            }
            keyManagerFactory.init(this._keyStore, getPasswordChars(str));
            sSLContext.init(keyManagerFactory.getKeyManagers(), createTrustStore(), null);
            createAnonymousFactory = sSLContext.getServerSocketFactory();
        } else {
            createAnonymousFactory = createAnonymousFactory(inetAddress, i);
        }
        SSLServerSocket createServerSocket = inetAddress == null ? createAnonymousFactory.createServerSocket(i, 100) : createAnonymousFactory.createServerSocket(i, 100, inetAddress);
        SSLServerSocket sSLServerSocket = createServerSocket;
        if (this._cipherSuites != null) {
            sSLServerSocket.setEnabledCipherSuites(this._cipherSuites);
        }
        if (this._cipherSuitesForbidden != null) {
            String[] enabledCipherSuites = sSLServerSocket.getEnabledCipherSuites();
            if (enabledCipherSuites == null) {
                enabledCipherSuites = sSLServerSocket.getSupportedCipherSuites();
            }
            ArrayList arrayList = new ArrayList();
            for (String str2 : enabledCipherSuites) {
                if (!isCipherForbidden(str2, this._cipherSuitesForbidden)) {
                    arrayList.add(str2);
                }
            }
            String[] strArr = new String[arrayList.size()];
            arrayList.toArray(strArr);
            sSLServerSocket.setEnabledCipherSuites(strArr);
        }
        if (this._protocols != null) {
            try {
                sSLServerSocket.setEnabledProtocols(this._protocols);
            } catch (Exception e) {
                throw ConfigException.create(L.l("Invalid protocols '{0}', expected from list '{1}'\n  {2}", Arrays.asList(this._protocols), Arrays.asList(sSLServerSocket.getSupportedProtocols()), e.toString()), e);
            }
        }
        if ("required".equals(this._verifyClient)) {
            sSLServerSocket.setNeedClientAuth(true);
        } else if ("optional".equals(this._verifyClient)) {
            sSLServerSocket.setWantClientAuth(true);
        }
        setHonorCipherOrder(sSLServerSocket);
        return new QServerSocketWrapper(createServerSocket);
    }

    private TrustManager[] createTrustStore() throws IOException, GeneralSecurityException {
        if (this._trustStore == null && this._trustStoreFile == null) {
            return null;
        }
        KeyStore keyStore = this._trustStore;
        if (keyStore == null) {
            keyStore = createKeyStore(this._trustStoreType, this._trustStoreFile, this._trustStorePassword);
        }
        String str = this._trustStoreAlgorithm;
        if (str == null) {
            str = TrustManagerFactory.getDefaultAlgorithm();
        }
        TrustManagerFactory trustManagerFactory = this._trustStoreProvider != null ? TrustManagerFactory.getInstance(str, this._trustStoreProvider) : TrustManagerFactory.getInstance(str);
        trustManagerFactory.init(keyStore);
        return trustManagerFactory.getTrustManagers();
    }

    private void setHonorCipherOrder(SSLServerSocket sSLServerSocket) {
        if (this._isHonorCipherOrder == null || _honorCipherOrderMethod == null) {
            return;
        }
        try {
            SSLParameters sSLParameters = (SSLParameters) _getSSLParametersMethod.invoke(sSLServerSocket, new Object[0]);
            _honorCipherOrderMethod.invoke(sSLParameters, this._isHonorCipherOrder);
            if (_setSSLParameters != null) {
                _setSSLParameters.invoke(sSLServerSocket, sSLParameters);
            }
            log.log(Level.FINER, L.l("setting honor-cipher-order {0}", this._isHonorCipherOrder));
        } catch (Throwable th) {
            log.log(Level.WARNING, th.getMessage(), th);
        }
    }

    private boolean isCipherForbidden(String str, String[] strArr) {
        for (String str2 : strArr) {
            if (str.indexOf(str2) >= 0) {
                return true;
            }
        }
        return false;
    }

    private SSLServerSocketFactory createAnonymousFactory(InetAddress inetAddress, int i) throws IOException, GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance(this._sslContext);
        String[] strArr = this._cipherSuites;
        String str = this._selfSignedName;
        if (str == null || "".equals(str) || "*".equals(str)) {
            str = inetAddress != null ? inetAddress.getHostName() : InetAddress.getLocalHost().getHostAddress();
        }
        SelfSignedCert createSelfSignedCert = createSelfSignedCert(str, strArr);
        if (createSelfSignedCert == null) {
            throw new ConfigException(L.l("Cannot generate anonymous certificate"));
        }
        sSLContext.init(createSelfSignedCert.getKeyManagers(), null, null);
        return sSLContext.getServerSocketFactory();
    }

    private SelfSignedCert createSelfSignedCert(String str, String[] strArr) {
        Path lookup = RootDirectorySystem.getCurrentDataDirectory().lookup("certs");
        try {
            Path lookup2 = lookup.lookup(str + ".cert");
            if (lookup2.canRead()) {
                ReadStream openRead = lookup2.openRead();
                try {
                    Hessian2Input hessian2Input = new Hessian2Input(openRead);
                    SelfSignedCert selfSignedCert = (SelfSignedCert) hessian2Input.readObject(SelfSignedCert.class);
                    hessian2Input.close();
                    if (!selfSignedCert.isExpired()) {
                        return selfSignedCert;
                    }
                    IoUtil.close(openRead);
                } finally {
                    IoUtil.close(openRead);
                }
            }
        } catch (Exception e) {
            log.log(Level.FINER, e.toString(), (Throwable) e);
        }
        SelfSignedCert create = SelfSignedCert.create(str, strArr);
        try {
            lookup.mkdirs();
            WriteStream openWrite = lookup.lookup(str + ".cert").openWrite();
            try {
                Hessian2Output hessian2Output = new Hessian2Output(openWrite);
                hessian2Output.writeObject(create);
                hessian2Output.close();
                IoUtil.close(openWrite);
            } catch (Throwable th) {
                IoUtil.close(openWrite);
                throw th;
            }
        } catch (Exception e2) {
            log.log(Level.FINER, e2.toString(), (Throwable) e2);
        }
        return create;
    }

    @Override // com.caucho.vfs.SSLFactory
    public QServerSocket bind(QServerSocket qServerSocket) throws ConfigException, IOException, GeneralSecurityException {
        throw new ConfigException(L.l("jsse is not allowed here"));
    }

    static {
        Method method = null;
        try {
            Method method2 = SSLServerSocket.class.getMethod("getSSLParameters", new Class[0]);
            method2.setAccessible(true);
            _getSSLParametersMethod = method2;
            Method method3 = SSLParameters.class.getMethod("setUseCipherSuitesOrder", Boolean.TYPE);
            method3.setAccessible(true);
            _honorCipherOrderMethod = method3;
            method = SSLServerSocket.class.getMethod("setSSLParameters", SSLParameters.class);
        } catch (Exception e) {
            log.log(Level.FINER, e.getMessage(), (Throwable) e);
        }
        _setSSLParameters = method;
    }
}
