package org.xipki.http.server;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.http.server.conf.FileOrBinaryType;
import org.xipki.http.server.conf.HttpServersConf;
import org.xipki.http.server.conf.HttpserverType;
import org.xipki.http.server.conf.KeystoreType;
import org.xipki.http.server.conf.TlsType;
import org.xipki.http.server.conf.TruststoreType;
import org.xipki.http.servlet.SslReverseProxyMode;
import org.xipki.password.PasswordResolver;

/* loaded from: input_file:org/xipki/http/server/HttpServers.class */
public final class HttpServers implements Closeable {
    private static final Logger LOG = LoggerFactory.getLogger(HttpServers.class);
    private final Set<HttpServer> servers = new HashSet();
    private ServletListener servletListener;
    private String confFile;
    private HttpServersConf conf;
    private PasswordResolver passwordResolver;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.http.server.HttpServers$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/http/server/HttpServers$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$netty$handler$ssl$SslProvider = new int[SslProvider.values().length];

        static {
            try {
                $SwitchMap$io$netty$handler$ssl$SslProvider[SslProvider.JDK.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$SslProvider[SslProvider.OPENSSL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$SslProvider[SslProvider.OPENSSL_REFCNT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public void setServletListener(ServletListener servletListener) {
        this.servletListener = servletListener;
        Iterator<HttpServer> it = this.servers.iterator();
        while (it.hasNext()) {
            it.next().setServletListener(servletListener);
        }
    }

    public void setPasswordResolver(PasswordResolver passwordResolver) {
        this.passwordResolver = passwordResolver;
    }

    public void setConfFile(String str) {
        this.confFile = str;
    }

    public void setConf(HttpServersConf httpServersConf) {
        this.conf = httpServersConf;
    }

    public void start() throws Exception {
        SslReverseProxyMode sslReverseProxyMode;
        if (this.conf == null && this.confFile == null) {
            throw new IllegalStateException("neither conf nor confFile is not set");
        }
        if (this.conf == null) {
            InputStream newInputStream = Files.newInputStream(Paths.get(this.confFile, new String[0]), new OpenOption[0]);
            try {
                this.conf = (HttpServersConf) JSON.parseObject(newInputStream, HttpServersConf.class, new Feature[0]);
            } finally {
                newInputStream.close();
            }
        }
        if (this.servletListener == null) {
            throw new IllegalStateException("servletListener is not set");
        }
        List<HttpserverType> httpservers = this.conf.getHttpservers();
        HashSet hashSet = new HashSet();
        for (HttpserverType httpserverType : httpservers) {
            if (!httpserverType.isEnabled()) {
                LOG.info("HTTP server on port {} is disabled, ignore it", Integer.valueOf(httpserverType.getPort()));
            }
            int port = httpserverType.getPort();
            if (hashSet.contains(Integer.valueOf(port))) {
                throw new Exception("Duplicated use of the port " + port);
            }
            hashSet.add(Integer.valueOf(port));
            int intValue = httpserverType.getThreads() == null ? 0 : httpserverType.getThreads().intValue();
            String reverseProxy = httpserverType.getReverseProxy();
            if (reverseProxy == null || reverseProxy.equalsIgnoreCase("NONE")) {
                sslReverseProxyMode = SslReverseProxyMode.NONE;
            } else {
                if (!reverseProxy.equalsIgnoreCase("APACHE")) {
                    throw new Exception("invalid reverseProxy " + reverseProxy);
                }
                sslReverseProxyMode = SslReverseProxyMode.APACHE;
            }
            HttpServer httpServer = new HttpServer(buildSslContext(httpserverType), port, intValue);
            if (httpserverType.getMaxRequestSize() != null) {
                httpServer.setMaxRequestBodySize(httpserverType.getMaxRequestSize().intValue());
            }
            if (httpserverType.getMaxUriSize() != null) {
                httpServer.setMaxUriPathSize(httpserverType.getMaxUriSize().intValue());
            }
            httpServer.setServletListener(this.servletListener);
            httpServer.setSslReverseProxyMode(sslReverseProxyMode);
            this.servers.add(httpServer);
        }
        Iterator<HttpServer> it = this.servers.iterator();
        while (it.hasNext()) {
            it.next().start();
        }
    }

    @Deprecated
    public void shutdown() {
        close();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.servers.isEmpty()) {
            LOG.info("found no HTTP server to shutdown");
            return;
        }
        for (HttpServer httpServer : this.servers) {
            httpServer.close();
            LOG.info("close HTTP server {}", httpServer);
        }
        this.servers.clear();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v232, types: [java.util.List] */
    private SslContext buildSslContext(HttpserverType httpserverType) throws Exception {
        SslProvider defaultServerProvider;
        List asList;
        ArrayList<String> arrayList;
        ClientAuth clientAuth;
        TlsType tls = httpserverType.getTls();
        if (tls == null) {
            return null;
        }
        KeystoreType keystore = tls.getKeystore();
        if (keystore == null) {
            throw new IllegalArgumentException("no keystore is configured");
        }
        char[] resolvePassword = this.passwordResolver.resolvePassword(keystore.getPassword());
        KeyStore loadKeyStore = loadKeyStore(keystore.getType(), keystore.getStore(), resolvePassword);
        String keyAlias = keystore.getKeyAlias();
        if (keyAlias == null) {
            Enumeration<String> aliases = loadKeyStore.aliases();
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                }
                String nextElement = aliases.nextElement();
                if (loadKeyStore.isKeyEntry(nextElement)) {
                    keyAlias = nextElement;
                    break;
                }
            }
            if (keyAlias == null) {
                throw new Exception("found no key entries in the keystore");
            }
        } else if (!loadKeyStore.isKeyEntry(keyAlias)) {
            throw new Exception("'" + keyAlias + "' is not a valid key alias");
        }
        PrivateKey privateKey = (PrivateKey) loadKeyStore.getKey(keyAlias, keystore.getKeyPassword() == null ? resolvePassword : this.passwordResolver.resolvePassword(keystore.getKeyPassword()));
        Certificate[] certificateChain = loadKeyStore.getCertificateChain(keyAlias);
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
        for (int i = 0; i < certificateChain.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateChain[i];
        }
        SslContextBuilder forServer = SslContextBuilder.forServer(privateKey, x509CertificateArr);
        boolean isAvailable = OpenSsl.isAvailable();
        if (tls.getProvider() == null || tls.getProvider().isEmpty() || tls.getProvider().equalsIgnoreCase("DEFAULT")) {
            if (!isAvailable) {
                logOpenSslWarning();
            }
            defaultServerProvider = SslContext.defaultServerProvider();
        } else {
            String provider = tls.getProvider();
            String replaceAll = provider.toLowerCase().replaceAll("[^a-z0-9]+", "");
            if ("jdk".equals(replaceAll)) {
                defaultServerProvider = SslProvider.JDK;
            } else {
                if (!"openssl".equals(replaceAll) && !"opensslrefcnt".equals(replaceAll)) {
                    throw new Exception("unknwon SSL provider " + provider);
                }
                if (!isAvailable) {
                    logOpenSslWarning();
                    throw new Exception("OpenSSL not available");
                }
                defaultServerProvider = "openssl".equals(replaceAll) ? SslProvider.OPENSSL : SslProvider.OPENSSL_REFCNT;
            }
        }
        LOG.info("use SSL provider {}", defaultServerProvider);
        forServer.sslProvider(defaultServerProvider);
        switch (AnonymousClass1.$SwitchMap$io$netty$handler$ssl$SslProvider[defaultServerProvider.ordinal()]) {
            case 1:
                SSLParameters supportedSSLParameters = SSLContext.getDefault().getSupportedSSLParameters();
                asList = Arrays.asList(supportedSSLParameters.getProtocols());
                arrayList = Arrays.asList(supportedSSLParameters.getCipherSuites());
                break;
            case 2:
            case 3:
                asList = Arrays.asList("TLSv1.1", "TLSv1.2");
                arrayList = new ArrayList(OpenSsl.availableJavaCipherSuites());
                break;
            default:
                throw new IllegalStateException("should not reach here, unknown SssProvider " + defaultServerProvider);
        }
        LOG.debug("available SSL protocols {}", asList);
        LOG.debug("available SSL cipher suites {}", arrayList);
        List<String> protocols = tls.getProtocols() != null ? tls.getProtocols() : Arrays.asList("TLSv1.1", "TLSv1.2");
        String[] strArr = new String[0];
        HashSet hashSet = new HashSet();
        for (String str : protocols) {
            boolean z = false;
            Iterator it = asList.iterator();
            while (true) {
                if (it.hasNext()) {
                    String str2 = (String) it.next();
                    if (str.equalsIgnoreCase(str2)) {
                        hashSet.add(str2);
                        z = true;
                    }
                }
            }
            if (!z) {
                LOG.warn("SSL Protocol {} unsupported, ignore it", str);
            }
        }
        if (hashSet.isEmpty()) {
            throw new Exception("None of the configured SSL protocols is supported");
        }
        LOG.info("use SSL protocols {}", hashSet);
        forServer.protocols((String[]) hashSet.toArray(strArr));
        boolean startsWith = ((String) arrayList.get(0)).startsWith("TLS_");
        HashSet hashSet2 = new HashSet();
        if (tls.getCiphersuites() != null) {
            for (String str3 : tls.getCiphersuites()) {
                if (str3.length() < 5) {
                    LOG.warn("cipher suite {} unsupported, ignore it", str3);
                } else {
                    String str4 = startsWith == str3.startsWith("TLS_") ? str3 : startsWith ? "TLS_" + str3.substring(4) : "SSL_" + str3.substring(4);
                    boolean z2 = false;
                    Iterator it2 = arrayList.iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            String str5 = (String) it2.next();
                            if (str4.equalsIgnoreCase(str5)) {
                                hashSet2.add(str5);
                                z2 = true;
                            }
                        }
                    }
                    if (!z2) {
                        LOG.warn("SSL cipher suite {} unsupported, ignore it", str3);
                    }
                }
            }
        } else {
            String[] strArr2 = {"_3DES", "_DES", "EMPTY", "EXPORT", "anno", "NULL"};
            String[] strArr3 = {"MD5", "SHA"};
            for (String str6 : arrayList) {
                boolean z3 = true;
                int length = strArr2.length;
                int i2 = 0;
                while (true) {
                    if (i2 < length) {
                        if (str6.contains(strArr2[i2])) {
                            z3 = false;
                        } else {
                            i2++;
                        }
                    }
                }
                if (z3) {
                    int length2 = strArr3.length;
                    int i3 = 0;
                    while (true) {
                        if (i3 < length2) {
                            if (str6.endsWith(strArr3[i3])) {
                                z3 = false;
                            } else {
                                i3++;
                            }
                        }
                    }
                }
                if (z3) {
                    hashSet2.add(str6);
                }
            }
        }
        LOG.info("use SSL cipher suites {}", hashSet2);
        forServer.ciphers(hashSet2);
        String clientauth = tls.getClientauth();
        if ("none".equalsIgnoreCase(clientauth)) {
            clientAuth = ClientAuth.NONE;
        } else if ("optional".equalsIgnoreCase(clientauth)) {
            clientAuth = ClientAuth.OPTIONAL;
        } else {
            if (!"require".equalsIgnoreCase(clientauth)) {
                throw new Exception("invalid client authentication '" + clientauth + "'");
            }
            clientAuth = ClientAuth.REQUIRE;
        }
        forServer.clientAuth(clientAuth);
        if (clientAuth != ClientAuth.NONE) {
            TruststoreType truststore = tls.getTruststore();
            if (truststore == null) {
                throw new Exception("Client authentication is activated, but no truststore is configured");
            }
            KeyStore loadKeyStore2 = loadKeyStore(truststore.getType(), truststore.getStore(), this.passwordResolver.resolvePassword(truststore.getPassword()));
            LinkedList linkedList = new LinkedList();
            Enumeration<String> aliases2 = loadKeyStore2.aliases();
            while (aliases2.hasMoreElements()) {
                linkedList.add((X509Certificate) loadKeyStore2.getCertificate(aliases2.nextElement()));
            }
            if (linkedList.isEmpty()) {
                throw new Exception("No certificates found int the truststore. Please verify it via JDK's keytool.");
            }
            forServer.trustManager((X509Certificate[]) linkedList.toArray(new X509Certificate[0]));
        }
        return forServer.build();
    }

    private KeyStore loadKeyStore(String str, FileOrBinaryType fileOrBinaryType, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        InputStream byteArrayInputStream = fileOrBinaryType.getBinary() != null ? new ByteArrayInputStream(fileOrBinaryType.getBinary()) : Files.newInputStream(Paths.get(fileOrBinaryType.getFile(), new String[0]), new OpenOption[0]);
        KeyStore keyStore = KeyStore.getInstance(str);
        try {
            keyStore.load(byteArrayInputStream, cArr);
            byteArrayInputStream.close();
            return keyStore;
        } catch (Throwable th) {
            byteArrayInputStream.close();
            throw th;
        }
    }

    private static void logOpenSslWarning() {
        if (LOG.isWarnEnabled()) {
            LOG.warn("To use the OpenSSL as SSL provider, both libapr-1 and OpenSSL must be installed and configured. Note that OpenSSL cannot be applied in Fedora distribution");
        }
    }

    public static void main(String[] strArr) {
        try {
            HttpServers httpServers = new HttpServers();
            httpServers.setConfFile("../doc/examples/httpservers.json");
            httpServers.setServletListener(new ServletListener());
            httpServers.start();
            httpServers.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
