package org.eclipse.jetty.server;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import org.eclipse.jetty.http.BadMessageException;
import org.eclipse.jetty.http.HttpField;
import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.PreEncodedHttpField;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.ProxyConnectionFactory;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.ssl.X509;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer.class */
public class SecureRequestCustomizer implements HttpConfiguration.Customizer {
    public static final String CIPHER_SUITE_ATTRIBUTE = "org.eclipse.jetty.server.cipher";
    public static final String KEY_SIZE_ATTRIBUTE = "org.eclipse.jetty.server.keySize";
    public static final String SSL_SESSION_ID_ATTRIBUTE = "org.eclipse.jetty.server.sslSessionId";
    public static final String PEER_CERTIFICATES_ATTRIBUTE = "org.eclipse.jetty.server.peerCertificates";
    public static final String X509_ATTRIBUTE = "org.eclipse.jetty.server.x509";
    public static final String DEFAULT_SSL_SESSION_ATTRIBUTE = "org.eclipse.jetty.server.sslSession";
    public static final String DEFAULT_SSL_SESSION_DATA_ATTRIBUTE = newSslSessionDataAttribute(DEFAULT_SSL_SESSION_ATTRIBUTE);
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecureRequestCustomizer.class);
    private String _sslSessionAttribute;
    private String _sslSessionDataAttribute;
    private boolean _sniRequired;
    private boolean _sniHostCheck;
    private long _stsMaxAge;
    private boolean _stsIncludeSubDomains;
    private HttpField _stsField;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer$SecureRequest.class */
    public static class SecureRequest extends Request.Wrapper {
        public SecureRequest(Request request) {
            super(request);
        }

        @Override // org.eclipse.jetty.server.Request.Wrapper, org.eclipse.jetty.server.Request
        public boolean isSecure() {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer$SecureRequestWithTLSData.class */
    public class SecureRequestWithTLSData extends SecureRequest {
        private final SSLSession _sslSession;
        private final SslSessionData _sslSessionData;

        public SecureRequestWithTLSData(Request request, SSLEngine sSLEngine) {
            super(request);
            this._sslSession = sSLEngine.getSession();
            SecureRequestCustomizer.this.checkSni(request, this._sslSession);
            String name = SslSessionData.class.getName();
            SslSessionData sslSessionData = (SslSessionData) this._sslSession.getValue(name);
            if (sslSessionData == null) {
                try {
                    String cipherSuite = this._sslSession.getCipherSuite();
                    sslSessionData = new SslSessionData(StringUtil.toHexString(this._sslSession.getId()), cipherSuite, SslContextFactory.deduceKeyLength(cipherSuite), SecureRequestCustomizer.this.getCertChain(getConnectionMetaData().getConnector(), this._sslSession));
                    this._sslSession.putValue(name, sslSessionData);
                } catch (Exception e) {
                    SecureRequestCustomizer.LOG.warn("Unable to get secure details ", (Throwable) e);
                }
            }
            this._sslSessionData = sslSessionData;
        }

        @Override // org.eclipse.jetty.util.Attributes.Wrapper, org.eclipse.jetty.util.Attributes
        public Object getAttribute(String str) {
            String sslSessionAttribute = SecureRequestCustomizer.this.getSslSessionAttribute();
            if (StringUtil.isNotBlank(sslSessionAttribute) && str.startsWith(sslSessionAttribute)) {
                if (str.equals(sslSessionAttribute)) {
                    return this._sslSession;
                }
                if (str.equals(SecureRequestCustomizer.this.getSslSessionDataAttribute())) {
                    return this._sslSessionData;
                }
            }
            boolean z = -1;
            switch (str.hashCode()) {
                case -1045094955:
                    if (str.equals(SecureRequestCustomizer.CIPHER_SUITE_ATTRIBUTE)) {
                        z = false;
                        break;
                    }
                    break;
                case 178256848:
                    if (str.equals(SecureRequestCustomizer.X509_ATTRIBUTE)) {
                        z = 4;
                        break;
                    }
                    break;
                case 365063286:
                    if (str.equals(SecureRequestCustomizer.KEY_SIZE_ATTRIBUTE)) {
                        z = true;
                        break;
                    }
                    break;
                case 569718664:
                    if (str.equals(SecureRequestCustomizer.PEER_CERTIFICATES_ATTRIBUTE)) {
                        z = 3;
                        break;
                    }
                    break;
                case 1319134703:
                    if (str.equals(SecureRequestCustomizer.SSL_SESSION_ID_ATTRIBUTE)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    if (this._sslSessionData != null) {
                        return this._sslSessionData.cipherSuite();
                    }
                    return null;
                case true:
                    if (this._sslSessionData != null) {
                        return Integer.valueOf(this._sslSessionData.keySize());
                    }
                    return null;
                case true:
                    if (this._sslSessionData != null) {
                        return this._sslSessionData.sessionId();
                    }
                    return null;
                case true:
                    if (this._sslSessionData != null) {
                        return this._sslSessionData.peerCertificates();
                    }
                    return null;
                case true:
                    return SecureRequestCustomizer.this.getX509(this._sslSession);
                default:
                    return super.getAttribute(str);
            }
        }

        @Override // org.eclipse.jetty.util.Attributes.Wrapper, org.eclipse.jetty.util.Attributes
        public Set<String> getAttributeNameSet() {
            HashSet hashSet = new HashSet(super.getAttributeNameSet());
            if (SecureRequestCustomizer.this.getX509(this._sslSession) != null) {
                hashSet.add(SecureRequestCustomizer.X509_ATTRIBUTE);
            }
            String sslSessionAttribute = SecureRequestCustomizer.this.getSslSessionAttribute();
            if (!StringUtil.isNotBlank(sslSessionAttribute)) {
                hashSet.add(sslSessionAttribute);
                if (this._sslSessionData != null) {
                    hashSet.add(SecureRequestCustomizer.this.getSslSessionDataAttribute());
                    hashSet.add(SecureRequestCustomizer.CIPHER_SUITE_ATTRIBUTE);
                    hashSet.add(SecureRequestCustomizer.KEY_SIZE_ATTRIBUTE);
                    hashSet.add(SecureRequestCustomizer.SSL_SESSION_ID_ATTRIBUTE);
                    hashSet.add(SecureRequestCustomizer.PEER_CERTIFICATES_ATTRIBUTE);
                }
            }
            return hashSet;
        }
    }

    /* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData.class */
    public static final class SslSessionData extends Record {
        private final String sessionId;
        private final String cipherSuite;
        private final int keySize;
        private final X509Certificate[] peerCertificates;

        public SslSessionData(String str, String str2, int i, X509Certificate[] x509CertificateArr) {
            this.sessionId = str;
            this.cipherSuite = str2;
            this.keySize = i;
            this.peerCertificates = x509CertificateArr;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SslSessionData.class), SslSessionData.class, "sessionId;cipherSuite;keySize;peerCertificates", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->sessionId:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->cipherSuite:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->keySize:I", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->peerCertificates:[Ljava/security/cert/X509Certificate;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SslSessionData.class), SslSessionData.class, "sessionId;cipherSuite;keySize;peerCertificates", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->sessionId:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->cipherSuite:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->keySize:I", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->peerCertificates:[Ljava/security/cert/X509Certificate;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SslSessionData.class, Object.class), SslSessionData.class, "sessionId;cipherSuite;keySize;peerCertificates", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->sessionId:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->cipherSuite:Ljava/lang/String;", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->keySize:I", "FIELD:Lorg/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData;->peerCertificates:[Ljava/security/cert/X509Certificate;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String sessionId() {
            return this.sessionId;
        }

        public String cipherSuite() {
            return this.cipherSuite;
        }

        public int keySize() {
            return this.keySize;
        }

        public X509Certificate[] peerCertificates() {
            return this.peerCertificates;
        }
    }

    public SecureRequestCustomizer() {
        this(true);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z) {
        this(z, -1L, false);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z2) {
        this(false, z, j, z2);
    }

    public SecureRequestCustomizer(@Name("sniRequired") boolean z, @Name("sniHostCheck") boolean z2, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z3) {
        this._sslSessionAttribute = DEFAULT_SSL_SESSION_ATTRIBUTE;
        this._sslSessionDataAttribute = DEFAULT_SSL_SESSION_DATA_ATTRIBUTE;
        this._sniRequired = z;
        this._sniHostCheck = z2;
        this._stsMaxAge = j;
        this._stsIncludeSubDomains = z3;
        formatSTS();
    }

    public boolean isSniHostCheck() {
        return this._sniHostCheck;
    }

    public void setSniHostCheck(boolean z) {
        this._sniHostCheck = z;
    }

    public boolean isSniRequired() {
        return this._sniRequired;
    }

    public void setSniRequired(boolean z) {
        this._sniRequired = z;
    }

    public long getStsMaxAge() {
        return this._stsMaxAge;
    }

    public void setStsMaxAge(long j) {
        setStsMaxAge(j, TimeUnit.SECONDS);
    }

    public void setStsMaxAge(long j, TimeUnit timeUnit) {
        this._stsMaxAge = timeUnit.toSeconds(j);
        formatSTS();
    }

    public boolean isStsIncludeSubDomains() {
        return this._stsIncludeSubDomains;
    }

    public void setStsIncludeSubDomains(boolean z) {
        this._stsIncludeSubDomains = z;
        formatSTS();
    }

    private void formatSTS() {
        long stsMaxAge = getStsMaxAge();
        if (stsMaxAge < 0) {
            this._stsField = null;
            return;
        }
        HttpHeader httpHeader = HttpHeader.STRICT_TRANSPORT_SECURITY;
        Object[] objArr = new Object[2];
        objArr[0] = Long.valueOf(stsMaxAge);
        objArr[1] = isStsIncludeSubDomains() ? "; includeSubDomains" : "";
        this._stsField = new PreEncodedHttpField(httpHeader, String.format("max-age=%d%s", objArr));
    }

    @Override // org.eclipse.jetty.server.HttpConfiguration.Customizer
    public Request customize(Request request, HttpFields.Mutable mutable) {
        EndPoint endPoint = request.getConnectionMetaData().getConnection().getEndPoint();
        if (endPoint instanceof SslConnection.SslEndPoint) {
            request = newSecureRequest(request, ((SslConnection.SslEndPoint) endPoint).getSslConnection().getSSLEngine());
        } else if ((endPoint instanceof ProxyConnectionFactory.ProxyEndPoint) && ((ProxyConnectionFactory.ProxyEndPoint) endPoint).getAttribute(ProxyConnectionFactory.TLS_VERSION) != null) {
            request = newSecureRequest(request, null);
        }
        if (this._stsField != null) {
            mutable.add(this._stsField);
        }
        return request;
    }

    protected Request newSecureRequest(Request request, SSLEngine sSLEngine) {
        return sSLEngine != null ? new SecureRequestWithTLSData(request, sSLEngine) : new SecureRequest(request);
    }

    private X509Certificate[] getCertChain(Connector connector, SSLSession sSLSession) {
        SslContextFactory.Server sslContextFactory;
        SslConnectionFactory sslConnectionFactory = (SslConnectionFactory) connector.getConnectionFactory(SslConnectionFactory.class);
        return (sslConnectionFactory == null || (sslContextFactory = sslConnectionFactory.getSslContextFactory()) == null) ? SslContextFactory.getCertChain(sSLSession) : sslContextFactory.getX509CertChain(sSLSession);
    }

    public void setSslSessionAttribute(String str) {
        Objects.requireNonNull(str);
        this._sslSessionAttribute = str;
        this._sslSessionDataAttribute = newSslSessionDataAttribute(str);
    }

    public String getSslSessionAttribute() {
        return this._sslSessionAttribute;
    }

    public String getSslSessionDataAttribute() {
        return this._sslSessionDataAttribute;
    }

    private static String newSslSessionDataAttribute(String str) {
        return str + "Data";
    }

    protected void checkSni(Request request, SSLSession sSLSession) {
        if (isSniRequired() || isSniHostCheck()) {
            String str = (String) sSLSession.getValue(SslContextFactory.Server.SNI_HOST);
            X509 x509 = getX509(sSLSession);
            if (x509 == null) {
                throw new BadMessageException(400, "Invalid SNI");
            }
            String serverName = Request.getServerName(request);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, str, x509);
            }
            if (isSniRequired() && (str == null || !x509.matches(str))) {
                throw new BadMessageException(400, "Invalid SNI");
            }
            if (isSniHostCheck() && !x509.matches(serverName)) {
                throw new BadMessageException(400, "Invalid SNI");
            }
        }
    }

    private X509 getX509(SSLSession sSLSession) {
        X509 x509 = (X509) sSLSession.getValue(X509_ATTRIBUTE);
        if (x509 == null) {
            Certificate[] localCertificates = sSLSession.getLocalCertificates();
            if (localCertificates == null || localCertificates.length == 0 || !(localCertificates[0] instanceof X509Certificate)) {
                return null;
            }
            x509 = new X509(null, (X509Certificate) localCertificates[0]);
            sSLSession.putValue(X509_ATTRIBUTE, x509);
        }
        return x509;
    }

    public String toString() {
        return String.format("%s@%x", getClass().getSimpleName(), Integer.valueOf(hashCode()));
    }
}
