package org.eclipse.jetty.util.ssl;

import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Properties;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.util.AttributesMap;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

/* loaded from: classes.dex */
public final class SslContextFactory extends AbstractLifeCycle {
    public static final String[] DEFAULT_EXCLUDED_CIPHER_SUITES;
    public static final String[] DEFAULT_EXCLUDED_PROTOCOLS;
    public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
    public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
    public static final Logger LOG;
    public static final Logger LOG_CONFIG;
    public final HashMap _aliasX509;
    public final HashMap _certHosts;
    public final HashMap _certWilds;
    public String _endpointIdentificationAlgorithm;
    public final LinkedHashSet _excludeCipherSuites;
    public final LinkedHashSet _excludeProtocols;
    public AttributesMap _factory;
    public final ArrayList _includeCipherSuites;
    public final LinkedHashSet _includeProtocols;
    public final boolean _renegotiationAllowed;
    public final int _renegotiationLimit;
    public String[] _selectedCipherSuites;
    public String[] _selectedProtocols;
    public final boolean _sessionCachingEnabled;
    public final String _sslProtocol;
    public final int _sslSessionCacheSize;
    public final int _sslSessionTimeout;
    public final boolean _useCipherSuitesOrder;

    /* loaded from: classes.dex */
    public final class AliasSNIMatcher extends SNIMatcher {
        public AliasSNIMatcher() {
            super(0);
        }

        @Override // javax.net.ssl.SNIMatcher
        public final boolean matches(SNIServerName sNIServerName) {
            Logger logger = SslContextFactory.LOG;
            if (logger.isDebugEnabled()) {
                logger.debug("SNI matching for {}", sNIServerName);
            }
            if (sNIServerName instanceof SNIHostName) {
                String asciiToLowerCase = StringUtil.asciiToLowerCase(((SNIHostName) sNIServerName).getAsciiName());
                SslContextFactory sslContextFactory = SslContextFactory.this;
                HashMap hashMap = sslContextFactory._certWilds;
                int indexOf = asciiToLowerCase.indexOf(46);
                if (indexOf >= 0) {
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("SNI matched {}->{}", asciiToLowerCase, null);
                    return true;
                }
            } else if (logger.isDebugEnabled()) {
                logger.debug("SNI no match for {}", sNIServerName);
            }
            return true;
        }
    }

    static {
        Properties properties = Log.__props;
        Logger logger = Log.getLogger(SslContextFactory.class.getName());
        LOG = logger;
        LOG_CONFIG = logger.getLogger("config");
        DEFAULT_KEYMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm");
        DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? TrustManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.TrustManagerFactory.algorithm");
        DEFAULT_EXCLUDED_PROTOCOLS = new String[]{"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
        DEFAULT_EXCLUDED_CIPHER_SUITES = new String[]{"^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^SSL_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"};
    }

    public SslContextFactory() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        this._excludeProtocols = linkedHashSet;
        this._includeProtocols = new LinkedHashSet();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        this._excludeCipherSuites = linkedHashSet2;
        this._includeCipherSuites = new ArrayList();
        this._aliasX509 = new HashMap();
        this._certHosts = new HashMap();
        this._certWilds = new HashMap();
        this._useCipherSuitesOrder = true;
        this._sslProtocol = "TLS";
        this._sessionCachingEnabled = true;
        this._sslSessionCacheSize = -1;
        this._sslSessionTimeout = -1;
        this._endpointIdentificationAlgorithm = null;
        this._renegotiationAllowed = true;
        this._renegotiationLimit = 5;
        linkedHashSet.clear();
        linkedHashSet.addAll(Arrays.asList(DEFAULT_EXCLUDED_PROTOCOLS));
        linkedHashSet2.clear();
        linkedHashSet2.addAll(Arrays.asList(DEFAULT_EXCLUDED_CIPHER_SUITES));
    }

    public final void customize(SSLEngine sSLEngine) {
        Logger logger = LOG;
        if (logger.isDebugEnabled()) {
            logger.debug("Customize {}", sSLEngine);
        }
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm(this._endpointIdentificationAlgorithm);
        sSLParameters.setUseCipherSuitesOrder(this._useCipherSuitesOrder);
        if (!this._certHosts.isEmpty() || !this._certWilds.isEmpty()) {
            sSLParameters.setSNIMatchers(Collections.singletonList(new AliasSNIMatcher()));
        }
        String[] strArr = this._selectedCipherSuites;
        if (strArr != null) {
            sSLParameters.setCipherSuites(strArr);
        }
        String[] strArr2 = this._selectedProtocols;
        if (strArr2 != null) {
            sSLParameters.setProtocols(strArr2);
        }
        sSLEngine.setSSLParameters(sSLParameters);
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public final void doStart() {
        synchronized (this) {
            load();
        }
        Logger logger = LOG_CONFIG;
        if (this._endpointIdentificationAlgorithm == null) {
            logger.warn("No Client EndPointIdentificationAlgorithm configured for {}", this);
        }
        SSLEngine createSSLEngine = ((SSLContext) this._factory._map).createSSLEngine();
        customize(createSSLEngine);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        for (String str : sSLParameters.getProtocols()) {
            for (String str2 : DEFAULT_EXCLUDED_PROTOCOLS) {
                if (str2.equals(str)) {
                    logger.warn("Protocol {} not excluded for {}", str, this);
                }
            }
        }
        for (String str3 : sSLParameters.getCipherSuites()) {
            for (String str4 : DEFAULT_EXCLUDED_CIPHER_SUITES) {
                if (str3.matches(str4)) {
                    logger.warn("Weak cipher suite {} enabled for {}", str3, this);
                }
            }
        }
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public final void doStop() {
        synchronized (this) {
            this._factory = null;
            this._selectedProtocols = null;
            this._selectedCipherSuites = null;
            this._aliasX509.clear();
            this._certHosts.clear();
            this._certWilds.clear();
        }
    }

    public final void load() {
        SSLContext sSLContext = SSLContext.getInstance(this._sslProtocol);
        sSLContext.init(null, null, null);
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            int i = this._sslSessionCacheSize;
            if (i > -1) {
                serverSessionContext.setSessionCacheSize(i);
            }
            int i2 = this._sslSessionTimeout;
            if (i2 > -1) {
                serverSessionContext.setSessionTimeout(i2);
            }
        }
        SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
        SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
        String[] cipherSuites = defaultSSLParameters.getCipherSuites();
        String[] cipherSuites2 = supportedSSLParameters.getCipherSuites();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = this._includeCipherSuites;
        boolean isEmpty = arrayList2.isEmpty();
        Logger logger = LOG;
        if (isEmpty) {
            arrayList.addAll(Arrays.asList(cipherSuites));
        } else {
            Iterator it = arrayList2.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                Pattern compile = Pattern.compile(str);
                boolean z = false;
                for (String str2 : cipherSuites2) {
                    if (compile.matcher(str2).matches()) {
                        arrayList.add(str2);
                        z = true;
                    }
                }
                if (!z) {
                    logger.info("No Cipher matching '{}' is supported", str);
                }
            }
        }
        Iterator it2 = this._excludeCipherSuites.iterator();
        while (it2.hasNext()) {
            Pattern compile2 = Pattern.compile((String) it2.next());
            Iterator it3 = arrayList.iterator();
            while (it3.hasNext()) {
                if (compile2.matcher((String) it3.next()).matches()) {
                    it3.remove();
                }
            }
        }
        if (arrayList.isEmpty()) {
            logger.warn("No supported ciphers from {}", Arrays.asList(cipherSuites2));
        }
        this._selectedCipherSuites = (String[]) arrayList.toArray(new String[0]);
        String[] protocols = defaultSSLParameters.getProtocols();
        String[] protocols2 = supportedSSLParameters.getProtocols();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        LinkedHashSet<String> linkedHashSet2 = this._includeProtocols;
        if (linkedHashSet2.isEmpty()) {
            linkedHashSet.addAll(Arrays.asList(protocols));
        } else {
            for (String str3 : linkedHashSet2) {
                if (Arrays.asList(protocols2).contains(str3)) {
                    linkedHashSet.add(str3);
                } else {
                    logger.info("Protocol {} not supported in {}", str3, Arrays.asList(protocols2));
                }
            }
        }
        linkedHashSet.removeAll(this._excludeProtocols);
        if (linkedHashSet.isEmpty()) {
            logger.warn("No selected protocols from {}", Arrays.asList(protocols2));
        }
        this._selectedProtocols = (String[]) linkedHashSet.toArray(new String[0]);
        this._factory = new AttributesMap(8, sSLContext);
        if (logger.isDebugEnabled()) {
            logger.debug("Selected Protocols {} of {}", Arrays.asList(this._selectedProtocols), Arrays.asList(supportedSSLParameters.getProtocols()));
            logger.debug("Selected Ciphers   {} of {}", Arrays.asList(this._selectedCipherSuites), Arrays.asList(supportedSSLParameters.getCipherSuites()));
        }
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public final String toString() {
        return String.format("%s@%x[provider=%s,keyStore=%s,trustStore=%s]", "SslContextFactory", Integer.valueOf(hashCode()), null, null, null);
    }
}
