package org.eclipse.jetty.util.ssl;

import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.X509ExtendedKeyManager;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

/* loaded from: input_file:WEB-INF/lib/jetty-util-9.3.0.RC0.jar:org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.class */
public class ExtendedSslContextFactory extends SslContextFactory {
    static final Logger LOG = Log.getLogger((Class<?>) ExtendedSslContextFactory.class);
    private final Map<String, String> _aliases = new HashMap();
    private final Map<String, String> _wild = new HashMap();
    private boolean _useCipherSuitesOrder = true;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/jetty-util-9.3.0.RC0.jar:org/eclipse/jetty/util/ssl/ExtendedSslContextFactory$AliasSNIMatcher.class */
    public class AliasSNIMatcher extends SNIMatcher {
        private String _alias;
        private SNIHostName _name;

        protected AliasSNIMatcher() {
            super(0);
        }

        @Override // javax.net.ssl.SNIMatcher
        public boolean matches(SNIServerName sNIServerName) {
            ExtendedSslContextFactory.LOG.debug("matches={} for {}", sNIServerName, this);
            if (ExtendedSslContextFactory.this._aliases.size() == 0 && ExtendedSslContextFactory.this._wild.size() == 0) {
                if (!ExtendedSslContextFactory.LOG.isDebugEnabled()) {
                    return true;
                }
                ExtendedSslContextFactory.LOG.debug("No SNI ready certificates for {} in {}", sNIServerName, ExtendedSslContextFactory.this);
                return true;
            }
            if (!(sNIServerName instanceof SNIHostName)) {
                return false;
            }
            this._name = (SNIHostName) sNIServerName;
            if (this._name == null || ExtendedSslContextFactory.this._aliases.size() == 0) {
                return true;
            }
            this._alias = (String) ExtendedSslContextFactory.this._aliases.get(this._name.getAsciiName());
            if (this._alias != null) {
                if (!ExtendedSslContextFactory.LOG.isDebugEnabled()) {
                    return true;
                }
                ExtendedSslContextFactory.LOG.debug("matched {}->{}", this._name.getAsciiName(), this._alias);
                return true;
            }
            String asciiName = this._name.getAsciiName();
            this._alias = (String) ExtendedSslContextFactory.this._wild.get(asciiName.substring(asciiName.indexOf(46)));
            if (this._alias == null) {
                return false;
            }
            if (!ExtendedSslContextFactory.LOG.isDebugEnabled()) {
                return true;
            }
            ExtendedSslContextFactory.LOG.debug("wild match {}->{}", this._name.getAsciiName(), this._alias);
            return true;
        }

        public String getAlias() {
            return this._alias;
        }

        public String getServerName() {
            if (this._name == null) {
                return null;
            }
            return this._name.getAsciiName();
        }
    }

    public boolean isUseCipherSuitesOrder() {
        return this._useCipherSuitesOrder;
    }

    public void setUseCipherSuitesOrder(boolean z) {
        this._useCipherSuitesOrder = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.util.ssl.SslContextFactory, org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        super.doStart();
        this._aliases.clear();
        if (this._factory._keyStore != null) {
            Iterator it = Collections.list(this._factory._keyStore.aliases()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                Certificate certificate = this._factory._keyStore.getCertificate(str);
                if ("X.509".equals(certificate.getType())) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    if (x509Certificate.getKeyUsage() == null || !x509Certificate.getKeyUsage()[5]) {
                        boolean z = false;
                        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                        if (subjectAlternativeNames != null) {
                            for (List<?> list : subjectAlternativeNames) {
                                if (((Number) list.get(0)).intValue() == 2) {
                                    String obj = list.get(1).toString();
                                    if (LOG.isDebugEnabled()) {
                                        LOG.debug("Certificate san alias={} cn={} in {}", str, obj, this._factory);
                                    }
                                    if (obj != null) {
                                        z = true;
                                        this._aliases.put(obj, str);
                                    }
                                }
                            }
                        }
                        if (!z) {
                            for (Rdn rdn : new LdapName(x509Certificate.getSubjectX500Principal().getName("RFC2253")).getRdns()) {
                                if (rdn.getType().equalsIgnoreCase("cn")) {
                                    String obj2 = rdn.getValue().toString();
                                    if (LOG.isDebugEnabled()) {
                                        LOG.debug("Certificate cn alias={} cn={} in {}", str, obj2, this._factory);
                                    }
                                    if (obj2 != null && obj2.contains(".") && !obj2.contains(" ")) {
                                        this._aliases.put(obj2, str);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        this._wild.clear();
        for (String str2 : this._aliases.keySet()) {
            if (str2.startsWith("*.")) {
                this._wild.put(str2.substring(1), this._aliases.get(str2));
            }
        }
        LOG.info("x509={} for {}", this._aliases, this);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.util.ssl.SslContextFactory, org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStop() throws Exception {
        super.doStop();
        this._aliases.clear();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.util.ssl.SslContextFactory
    public KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception {
        KeyManager[] keyManagers = super.getKeyManagers(keyStore);
        if (keyManagers != null) {
            for (int i = 0; i < keyManagers.length; i++) {
                if (keyManagers[i] instanceof X509ExtendedKeyManager) {
                    keyManagers[i] = new SniX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagers[i], getCertAlias());
                }
            }
        }
        LOG.debug("managers={} for {}", keyManagers, this);
        return keyManagers;
    }

    @Override // org.eclipse.jetty.util.ssl.SslContextFactory
    public void customize(SSLEngine sSLEngine) {
        super.customize(sSLEngine);
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        sSLParameters.setUseCipherSuitesOrder(this._useCipherSuitesOrder);
        sSLParameters.setSNIMatchers(Collections.singletonList(new AliasSNIMatcher()));
        sSLEngine.setSSLParameters(sSLParameters);
    }
}
