package org.eclipse.jetty.util.ssl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.eclipse.jetty.util.BlockingArrayQueue;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedObject;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.component.Dumpable;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.resource.ResourceFactory;
import org.eclipse.jetty.util.resource.Resources;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.security.CertificateValidator;
import org.eclipse.jetty.util.security.Credential;
import org.eclipse.jetty.util.security.Password;
import org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager;
import org.eclipse.jetty.util.thread.AutoLock;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject
/* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory.class */
public abstract class SslContextFactory extends ContainerLifeCycle implements Dumpable {
    public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
    public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
    private static final String X_509 = "X.509";
    private final AutoLock _lock;
    private final Set<String> _excludeProtocols;
    private final Set<String> _includeProtocols;
    private final Set<String> _excludeCipherSuites;
    private final Set<String> _includeCipherSuites;
    private final Map<String, X509> _aliasX509;
    private final Map<String, X509> _certHosts;
    private final Map<String, X509> _certWilds;
    private String[] _selectedProtocols;
    private boolean _useCipherSuitesOrder;
    private Comparator<String> _cipherComparator;
    private String[] _selectedCipherSuites;
    private Resource _keyStoreResource;
    private String _keyStoreProvider;
    private String _keyStoreType;
    private String _certAlias;
    private Resource _trustStoreResource;
    private String _trustStoreProvider;
    private String _trustStoreType;
    private Credential _keyStoreCredential;
    private Credential _keyManagerCredential;
    private Credential _trustStoreCredential;
    private String _sslProvider;
    private String _sslProtocol;
    private String _secureRandomAlgorithm;
    private String _keyManagerFactoryAlgorithm;
    private String _trustManagerFactoryAlgorithm;
    private boolean _validateCerts;
    private boolean _validatePeerCerts;
    private int _maxCertPathLength;
    private String _crlPath;
    private boolean _enableCRLDP;
    private boolean _enableOCSP;
    private String _ocspResponderURL;
    private KeyStore _setKeyStore;
    private KeyStore _setTrustStore;
    private boolean _sessionCachingEnabled;
    private int _sslSessionCacheSize;
    private int _sslSessionTimeout;
    private SSLContext _setContext;
    private String _endpointIdentificationAlgorithm;
    private boolean _trustAll;
    private boolean _renegotiationAllowed;
    private int _renegotiationLimit;
    private Factory _factory;
    private PKIXCertPathChecker _pkixCertPathChecker;
    private HostnameVerifier _hostnameVerifier;
    private CertificateFactory _x509CertificateFactory;
    public static final TrustManager[] TRUST_ALL_CERTS = {new X509ExtendedTrustManagerWrapper(null)};
    public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
    public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SslContextFactory.class);
    private static final Logger LOG_CONFIG = LoggerFactory.getLogger(LOG.getName() + ".config");
    private static final Pattern KEY_SIZE_PATTERN = Pattern.compile("_(\\d+)_");
    private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
    private static final String[] DEFAULT_EXCLUDED_CIPHER_SUITES = {"^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^SSL_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$AliasSNIMatcher.class */
    public static class AliasSNIMatcher extends SNIMatcher {
        private String _host;

        AliasSNIMatcher() {
            super(0);
        }

        @Override // javax.net.ssl.SNIMatcher
        public boolean matches(SNIServerName sNIServerName) {
            if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("SNI matching for {}", sNIServerName);
            }
            if (!(sNIServerName instanceof SNIHostName)) {
                if (!SslContextFactory.LOG.isDebugEnabled()) {
                    return true;
                }
                SslContextFactory.LOG.debug("No SNI host name for {}", sNIServerName);
                return true;
            }
            this._host = StringUtil.asciiToLowerCase(((SNIHostName) sNIServerName).getAsciiName());
            if (!SslContextFactory.LOG.isDebugEnabled()) {
                return true;
            }
            SslContextFactory.LOG.debug("SNI host name {}", this._host);
            return true;
        }

        public String getHost() {
            return this._host;
        }
    }

    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$Client.class */
    public static class Client extends SslContextFactory {
        private SniProvider sniProvider;

        @FunctionalInterface
        /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$Client$SniProvider.class */
        public interface SniProvider {
            public static final SniProvider NON_DOMAIN_SNI_PROVIDER = Client::getSniServerNames;

            List<SNIServerName> apply(SSLEngine sSLEngine, List<SNIServerName> list);
        }

        public Client() {
            this(false);
        }

        public Client(boolean z) {
            super(z);
            this.sniProvider = (sSLEngine, list) -> {
                return list;
            };
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        protected void checkConfiguration() {
            checkTrustAll();
            checkEndPointIdentificationAlgorithm();
            super.checkConfiguration();
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public void customize(SSLEngine sSLEngine) {
            SSLParameters sSLParameters = sSLEngine.getSSLParameters();
            List<SNIServerName> serverNames = sSLParameters.getServerNames();
            if (serverNames == null) {
                serverNames = Collections.emptyList();
            }
            List<SNIServerName> apply = getSNIProvider().apply(sSLEngine, serverNames);
            if (apply != null && apply != serverNames) {
                sSLParameters.setServerNames(apply);
                sSLEngine.setSSLParameters(sSLParameters);
            }
            super.customize(sSLEngine);
        }

        public SniProvider getSNIProvider() {
            return this.sniProvider;
        }

        public void setSNIProvider(SniProvider sniProvider) {
            this.sniProvider = (SniProvider) Objects.requireNonNull(sniProvider);
        }

        private static List<SNIServerName> getSniServerNames(SSLEngine sSLEngine, List<SNIServerName> list) {
            String peerHost;
            return (!list.isEmpty() || (peerHost = sSLEngine.getPeerHost()) == null) ? list : List.of(new SNIHostName(peerHost.getBytes(StandardCharsets.US_ASCII)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$Factory.class */
    public static class Factory {
        private final KeyStore _keyStore;
        private final KeyStore _trustStore;
        private final SSLContext _context;

        private Factory(KeyStore keyStore, KeyStore keyStore2, SSLContext sSLContext) {
            this._keyStore = keyStore;
            this._trustStore = keyStore2;
            this._context = sSLContext;
        }
    }

    @ManagedObject
    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$Server.class */
    public static class Server extends SslContextFactory implements SniX509ExtendedKeyManager.SniSelector {
        public static final String SNI_HOST = "org.eclipse.jetty.util.ssl.sniHost";
        private boolean _needClientAuth;
        private boolean _wantClientAuth;
        private boolean _sniRequired;
        private SniX509ExtendedKeyManager.SniSelector _sniSelector;

        public Server() {
            setEndpointIdentificationAlgorithm(null);
        }

        @ManagedAttribute("Whether client authentication is needed")
        public boolean getNeedClientAuth() {
            return this._needClientAuth;
        }

        public void setNeedClientAuth(boolean z) {
            this._needClientAuth = z;
        }

        @ManagedAttribute("Whether client authentication is wanted")
        public boolean getWantClientAuth() {
            return this._wantClientAuth;
        }

        public void setWantClientAuth(boolean z) {
            this._wantClientAuth = z;
        }

        @ManagedAttribute("Whether the TLS handshake is rejected if there is no SNI host match")
        public boolean isSniRequired() {
            return this._sniRequired;
        }

        public void setSniRequired(boolean z) {
            this._sniRequired = z;
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception {
            KeyManager[] keyManagers = super.getKeyManagers(keyStore);
            boolean z = false;
            if (isSniRequired() || !wildCerts().isEmpty() || hostCerts().size() > 1 || (hostCerts().size() == 1 && aliasCerts().size() > 1)) {
                for (int i = 0; i < keyManagers.length; i++) {
                    if (keyManagers[i] instanceof X509ExtendedKeyManager) {
                        keyManagers[i] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagers[i]);
                        z = true;
                    }
                }
            }
            if (!isSniRequired() || (keyManagers != null && z)) {
                return keyManagers;
            }
            throw new IllegalStateException("No SNI Key managers when SNI is required");
        }

        public SniX509ExtendedKeyManager.SniSelector getSNISelector() {
            return this._sniSelector;
        }

        public void setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector) {
            this._sniSelector = sniSelector;
        }

        @Override // org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager.SniSelector
        public String sniSelect(String str, Principal[] principalArr, SSLSession sSLSession, String str2, Collection<X509> collection) {
            String alias;
            boolean isSniRequired = isSniRequired();
            if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("Selecting alias: keyType={}, sni={}, sniRequired={}, certs={}", str, String.valueOf(str2), Boolean.valueOf(isSniRequired), collection);
            }
            if (str2 == null) {
                alias = isSniRequired ? null : SniX509ExtendedKeyManager.SniSelector.DELEGATE;
            } else {
                List list = (List) collection.stream().filter(x509 -> {
                    return x509.matches(str2);
                }).collect(Collectors.toList());
                if (list.isEmpty()) {
                    alias = (isSniRequired || aliasCerts().values().stream().anyMatch(x5092 -> {
                        return x5092.matches(str2);
                    })) ? null : SniX509ExtendedKeyManager.SniSelector.DELEGATE;
                } else {
                    alias = ((X509) list.get(0)).getAlias();
                    if (list.size() > 1) {
                        alias = (String) list.stream().min(Comparator.comparingInt(x5093 -> {
                            return x5093.getWilds().size();
                        })).map((v0) -> {
                            return v0.getAlias();
                        }).orElse(alias);
                    }
                }
            }
            if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("Selected alias={}", String.valueOf(alias));
            }
            return alias;
        }

        protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager x509ExtendedKeyManager) {
            return new SniX509ExtendedKeyManager(x509ExtendedKeyManager, this);
        }
    }

    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$X509ExtendedKeyManagerWrapper.class */
    public static class X509ExtendedKeyManagerWrapper extends X509ExtendedKeyManager {
        private final X509ExtendedKeyManager keyManager;

        public X509ExtendedKeyManagerWrapper(X509ExtendedKeyManager x509ExtendedKeyManager) {
            this.keyManager = x509ExtendedKeyManager;
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getClientAliases(String str, Principal[] principalArr) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.getClientAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.chooseClientAlias(strArr, principalArr, socket);
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.chooseEngineClientAlias(strArr, principalArr, sSLEngine);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getServerAliases(String str, Principal[] principalArr) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.getServerAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.chooseServerAlias(str, principalArr, socket);
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.chooseEngineServerAlias(str, principalArr, sSLEngine);
        }

        @Override // javax.net.ssl.X509KeyManager
        public X509Certificate[] getCertificateChain(String str) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.getCertificateChain(str);
        }

        @Override // javax.net.ssl.X509KeyManager
        public PrivateKey getPrivateKey(String str) {
            if (this.keyManager == null) {
                return null;
            }
            return this.keyManager.getPrivateKey(str);
        }
    }

    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$X509ExtendedTrustManagerWrapper.class */
    public static class X509ExtendedTrustManagerWrapper extends X509ExtendedTrustManager {
        private final X509ExtendedTrustManager trustManager;

        public X509ExtendedTrustManagerWrapper(X509ExtendedTrustManager x509ExtendedTrustManager) {
            this.trustManager = x509ExtendedTrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.trustManager == null ? new X509Certificate[0] : this.trustManager.getAcceptedIssuers();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkClientTrusted(x509CertificateArr, str, socket);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkServerTrusted(x509CertificateArr, str, socket);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (this.trustManager != null) {
                this.trustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
            }
        }
    }

    protected SslContextFactory() {
        this(false);
    }

    public SslContextFactory(boolean z) {
        this._lock = new AutoLock();
        this._excludeProtocols = new LinkedHashSet();
        this._includeProtocols = new LinkedHashSet();
        this._excludeCipherSuites = new LinkedHashSet();
        this._includeCipherSuites = new LinkedHashSet();
        this._aliasX509 = new HashMap();
        this._certHosts = new HashMap();
        this._certWilds = new HashMap();
        this._useCipherSuitesOrder = true;
        this._keyStoreType = "PKCS12";
        this._sslProtocol = "TLS";
        this._keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
        this._trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
        this._maxCertPathLength = -1;
        this._enableCRLDP = false;
        this._enableOCSP = false;
        this._sessionCachingEnabled = true;
        this._sslSessionCacheSize = -1;
        this._sslSessionTimeout = -1;
        this._endpointIdentificationAlgorithm = "HTTPS";
        this._renegotiationAllowed = true;
        this._renegotiationLimit = 5;
        setTrustAll(z);
        setExcludeProtocols(DEFAULT_EXCLUDED_PROTOCOLS);
        setExcludeCipherSuites(DEFAULT_EXCLUDED_CIPHER_SUITES);
    }

    @Override // org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.AbstractLifeCycle
    protected void doStart() throws Exception {
        super.doStart();
        AutoLock lock = this._lock.lock();
        try {
            load();
            if (lock != null) {
                lock.close();
            }
            this._x509CertificateFactory = getCertificateFactoryInstance(X_509);
            checkConfiguration();
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected void checkConfiguration() {
        SSLEngine createSSLEngine = this._factory._context.createSSLEngine();
        customize(createSSLEngine);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        checkProtocols(sSLParameters);
        checkCiphers(sSLParameters);
    }

    protected void checkTrustAll() {
        if (isTrustAll()) {
            LOG_CONFIG.warn("Trusting all certificates configured for {}", this);
        }
    }

    protected void checkEndPointIdentificationAlgorithm() {
        if (getEndpointIdentificationAlgorithm() == null) {
            LOG_CONFIG.warn("No Client EndPointIdentificationAlgorithm configured for {}", this);
        }
    }

    protected void checkProtocols(SSLParameters sSLParameters) {
        for (String str : sSLParameters.getProtocols()) {
            for (String str2 : DEFAULT_EXCLUDED_PROTOCOLS) {
                if (str2.equals(str)) {
                    LOG_CONFIG.warn("Protocol {} not excluded for {}", str, this);
                }
            }
        }
    }

    protected void checkCiphers(SSLParameters sSLParameters) {
        for (String str : sSLParameters.getCipherSuites()) {
            for (String str2 : DEFAULT_EXCLUDED_CIPHER_SUITES) {
                if (str.matches(str2)) {
                    LOG_CONFIG.warn("Weak cipher suite {} enabled for {}", str, this);
                }
            }
        }
    }

    private void load() throws Exception {
        SSLContext sSLContext = this._setContext;
        KeyStore keyStore = this._setKeyStore;
        KeyStore keyStore2 = this._setTrustStore;
        if (sSLContext == null) {
            if (keyStore == null && this._keyStoreResource == null && keyStore2 == null && this._trustStoreResource == null) {
                TrustManager[] trustManagerArr = null;
                if (isTrustAll()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
                    }
                    trustManagerArr = TRUST_ALL_CERTS;
                }
                sSLContext = getSSLContextInstance();
                sSLContext.init(null, trustManagerArr, getSecureRandomInstance());
            } else {
                if (keyStore == null) {
                    keyStore = loadKeyStore(this._keyStoreResource);
                }
                if (keyStore2 == null) {
                    keyStore2 = loadTrustStore(this._trustStoreResource);
                }
                Collection<? extends CRL> loadCRL = loadCRL(getCrlPath());
                if (keyStore != null) {
                    Iterator it2 = Collections.list(keyStore.aliases()).iterator();
                    while (it2.hasNext()) {
                        String str = (String) it2.next();
                        Certificate certificate = keyStore.getCertificate(str);
                        if (certificate != null && X_509.equals(certificate.getType())) {
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            if (!X509.isCertSign(x509Certificate)) {
                                X509 x509 = new X509(str, x509Certificate);
                                this._aliasX509.put(str, x509);
                                if (isValidateCerts()) {
                                    CertificateValidator certificateValidator = new CertificateValidator(keyStore2, loadCRL);
                                    certificateValidator.setMaxCertPathLength(getMaxCertPathLength());
                                    certificateValidator.setEnableCRLDP(isEnableCRLDP());
                                    certificateValidator.setEnableOCSP(isEnableOCSP());
                                    certificateValidator.setOcspResponderURL(getOcspResponderURL());
                                    certificateValidator.validate(keyStore, x509Certificate);
                                }
                                LOG.info("x509={} for {}", x509, this);
                                Iterator<String> it3 = x509.getHosts().iterator();
                                while (it3.hasNext()) {
                                    this._certHosts.put(it3.next(), x509);
                                }
                                Iterator<String> it4 = x509.getWilds().iterator();
                                while (it4.hasNext()) {
                                    this._certWilds.put(it4.next(), x509);
                                }
                            } else if (LOG.isDebugEnabled()) {
                                LOG.debug("Skipping {}", x509Certificate);
                            }
                        }
                    }
                }
                KeyManager[] keyManagers = getKeyManagers(keyStore);
                TrustManager[] trustManagers = getTrustManagers(keyStore2, loadCRL);
                sSLContext = getSSLContextInstance();
                sSLContext.init(keyManagers, trustManagers, getSecureRandomInstance());
            }
        }
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            if (getSslSessionCacheSize() > -1) {
                serverSessionContext.setSessionCacheSize(getSslSessionCacheSize());
            }
            if (getSslSessionTimeout() > -1) {
                serverSessionContext.setSessionTimeout(getSslSessionTimeout());
            }
        }
        SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
        SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
        selectCipherSuites(defaultSSLParameters.getCipherSuites(), supportedSSLParameters.getCipherSuites());
        selectProtocols(defaultSSLParameters.getProtocols(), supportedSSLParameters.getProtocols());
        this._factory = new Factory(keyStore, keyStore2, sSLContext);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Selected Protocols {} of {}", Arrays.asList(this._selectedProtocols), Arrays.asList(supportedSSLParameters.getProtocols()));
            LOG.debug("Selected Ciphers   {} of {}", Arrays.asList(this._selectedCipherSuites), Arrays.asList(supportedSSLParameters.getCipherSuites()));
        }
    }

    @Override // org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.Dumpable
    public String dump() {
        return Dumpable.dump(this);
    }

    @Override // org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.Dumpable
    public void dump(Appendable appendable, String str) throws IOException {
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            Dumpable.dumpObjects(appendable, str, this, "trustAll=" + this._trustAll, new SslSelectionDump("Protocol", createSSLEngine.getSupportedProtocols(), createSSLEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()), new SslSelectionDump("Cipher Suite", createSSLEngine.getSupportedCipherSuites(), createSSLEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites()));
        } catch (NoSuchAlgorithmException e) {
            LOG.trace("IGNORED", (Throwable) e);
        }
    }

    List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException {
        SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SslSelectionDump("Protocol", createSSLEngine.getSupportedProtocols(), createSSLEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()));
        arrayList.add(new SslSelectionDump("Cipher Suite", createSSLEngine.getSupportedCipherSuites(), createSSLEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites()));
        return arrayList;
    }

    @Override // org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.AbstractLifeCycle
    protected void doStop() throws Exception {
        AutoLock lock = this._lock.lock();
        try {
            unload();
            if (lock != null) {
                lock.close();
            }
            super.doStop();
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void unload() {
        this._factory = null;
        this._selectedProtocols = null;
        this._selectedCipherSuites = null;
        this._aliasX509.clear();
        this._certHosts.clear();
        this._certWilds.clear();
    }

    Map<String, X509> aliasCerts() {
        return this._aliasX509;
    }

    Map<String, X509> hostCerts() {
        return this._certHosts;
    }

    Map<String, X509> wildCerts() {
        return this._certWilds;
    }

    @ManagedAttribute(value = "The selected TLS protocol versions", readonly = true)
    public String[] getSelectedProtocols() {
        return (String[]) Arrays.copyOf(this._selectedProtocols, this._selectedProtocols.length);
    }

    @ManagedAttribute(value = "The selected cipher suites", readonly = true)
    public String[] getSelectedCipherSuites() {
        return (String[]) Arrays.copyOf(this._selectedCipherSuites, this._selectedCipherSuites.length);
    }

    public Comparator<String> getCipherComparator() {
        return this._cipherComparator;
    }

    public void setCipherComparator(Comparator<String> comparator) {
        if (comparator != null) {
            setUseCipherSuitesOrder(true);
        }
        this._cipherComparator = comparator;
    }

    public Set<String> getAliases() {
        return Collections.unmodifiableSet(this._aliasX509.keySet());
    }

    public X509 getX509(String str) {
        return this._aliasX509.get(str);
    }

    @ManagedAttribute("The excluded TLS protocols")
    public String[] getExcludeProtocols() {
        return (String[]) this._excludeProtocols.toArray(new String[0]);
    }

    public void setExcludeProtocols(String... strArr) {
        this._excludeProtocols.clear();
        this._excludeProtocols.addAll(Arrays.asList(strArr));
    }

    public void addExcludeProtocols(String... strArr) {
        this._excludeProtocols.addAll(Arrays.asList(strArr));
    }

    @ManagedAttribute("The included TLS protocols")
    public String[] getIncludeProtocols() {
        return (String[]) this._includeProtocols.toArray(new String[0]);
    }

    public void setIncludeProtocols(String... strArr) {
        this._includeProtocols.clear();
        this._includeProtocols.addAll(Arrays.asList(strArr));
    }

    @ManagedAttribute("The excluded cipher suites")
    public String[] getExcludeCipherSuites() {
        return (String[]) this._excludeCipherSuites.toArray(new String[0]);
    }

    public void setExcludeCipherSuites(String... strArr) {
        this._excludeCipherSuites.clear();
        this._excludeCipherSuites.addAll(Arrays.asList(strArr));
    }

    public void addExcludeCipherSuites(String... strArr) {
        this._excludeCipherSuites.addAll(Arrays.asList(strArr));
    }

    @ManagedAttribute("The included cipher suites")
    public String[] getIncludeCipherSuites() {
        return (String[]) this._includeCipherSuites.toArray(new String[0]);
    }

    public void setIncludeCipherSuites(String... strArr) {
        this._includeCipherSuites.clear();
        this._includeCipherSuites.addAll(Arrays.asList(strArr));
    }

    @ManagedAttribute("Whether to respect the cipher suites order")
    public boolean isUseCipherSuitesOrder() {
        return this._useCipherSuitesOrder;
    }

    public void setUseCipherSuitesOrder(boolean z) {
        this._useCipherSuitesOrder = z;
    }

    @ManagedAttribute("The keyStore path")
    public String getKeyStorePath() {
        return Objects.toString(this._keyStoreResource, null);
    }

    public void setKeyStorePath(String str) {
        if (StringUtil.isBlank(str)) {
            this._keyStoreResource = null;
            return;
        }
        Resource newResource = ResourceFactory.of(this).newResource(str);
        if (Resources.isReadableFile(newResource)) {
            this._keyStoreResource = newResource;
        } else {
            this._keyStoreResource = null;
            throw new IllegalArgumentException("KeyStore Path not accessible: " + str);
        }
    }

    @ManagedAttribute("The keyStore provider name")
    public String getKeyStoreProvider() {
        return this._keyStoreProvider;
    }

    public void setKeyStoreProvider(String str) {
        this._keyStoreProvider = str;
    }

    @ManagedAttribute("The keyStore type")
    public String getKeyStoreType() {
        return this._keyStoreType;
    }

    public void setKeyStoreType(String str) {
        this._keyStoreType = str;
    }

    @ManagedAttribute("The certificate alias")
    public String getCertAlias() {
        return this._certAlias;
    }

    public void setCertAlias(String str) {
        this._certAlias = str;
    }

    @ManagedAttribute("The trustStore path")
    public String getTrustStorePath() {
        return Objects.toString(this._trustStoreResource, null);
    }

    public void setTrustStorePath(String str) {
        if (StringUtil.isBlank(str)) {
            this._trustStoreResource = null;
            return;
        }
        Resource newResource = ResourceFactory.of(this).newResource(str);
        if (Resources.isReadableFile(newResource)) {
            this._trustStoreResource = newResource;
        } else {
            this._trustStoreResource = null;
            throw new IllegalArgumentException("TrustStore Path not accessible: " + str);
        }
    }

    @ManagedAttribute("The trustStore provider name")
    public String getTrustStoreProvider() {
        return this._trustStoreProvider;
    }

    public void setTrustStoreProvider(String str) {
        this._trustStoreProvider = str;
    }

    @ManagedAttribute("The trustStore type")
    public String getTrustStoreType() {
        return this._trustStoreType;
    }

    public void setTrustStoreType(String str) {
        this._trustStoreType = str;
    }

    @ManagedAttribute("Whether certificates are validated")
    public boolean isValidateCerts() {
        return this._validateCerts;
    }

    public void setValidateCerts(boolean z) {
        this._validateCerts = z;
    }

    @ManagedAttribute("Whether peer certificates are validated")
    public boolean isValidatePeerCerts() {
        return this._validatePeerCerts;
    }

    public void setValidatePeerCerts(boolean z) {
        this._validatePeerCerts = z;
    }

    public String getKeyStorePassword() {
        if (this._keyStoreCredential == null) {
            return null;
        }
        return this._keyStoreCredential.toString();
    }

    public void setKeyStorePassword(String str) {
        this._keyStoreCredential = str == null ? getCredential(PASSWORD_PROPERTY) : newCredential(str);
    }

    public String getKeyManagerPassword() {
        if (this._keyManagerCredential == null) {
            return null;
        }
        return this._keyManagerCredential.toString();
    }

    public void setKeyManagerPassword(String str) {
        this._keyManagerCredential = str == null ? getCredential(KEYPASSWORD_PROPERTY) : newCredential(str);
    }

    public void setTrustStorePassword(String str) {
        this._trustStoreCredential = str == null ? getCredential(PASSWORD_PROPERTY) : newCredential(str);
    }

    @ManagedAttribute("The provider name")
    public String getProvider() {
        return this._sslProvider;
    }

    public void setProvider(String str) {
        this._sslProvider = str;
    }

    @ManagedAttribute("The TLS protocol")
    public String getProtocol() {
        return this._sslProtocol;
    }

    public void setProtocol(String str) {
        this._sslProtocol = str;
    }

    @ManagedAttribute("The SecureRandom algorithm")
    public String getSecureRandomAlgorithm() {
        return this._secureRandomAlgorithm;
    }

    public void setSecureRandomAlgorithm(String str) {
        this._secureRandomAlgorithm = str;
    }

    @ManagedAttribute("The KeyManagerFactory algorithm")
    public String getKeyManagerFactoryAlgorithm() {
        return this._keyManagerFactoryAlgorithm;
    }

    public void setKeyManagerFactoryAlgorithm(String str) {
        this._keyManagerFactoryAlgorithm = str;
    }

    @ManagedAttribute("The TrustManagerFactory algorithm")
    public String getTrustManagerFactoryAlgorithm() {
        return this._trustManagerFactoryAlgorithm;
    }

    @ManagedAttribute("Whether certificates should be trusted even if they are invalid")
    public boolean isTrustAll() {
        return this._trustAll;
    }

    public void setTrustAll(boolean z) {
        this._trustAll = z;
        if (z) {
            setEndpointIdentificationAlgorithm(null);
        }
    }

    public void setTrustManagerFactoryAlgorithm(String str) {
        this._trustManagerFactoryAlgorithm = str;
    }

    @ManagedAttribute("Whether renegotiation is allowed")
    public boolean isRenegotiationAllowed() {
        return this._renegotiationAllowed;
    }

    public void setRenegotiationAllowed(boolean z) {
        this._renegotiationAllowed = z;
    }

    @ManagedAttribute("The max number of renegotiations allowed")
    public int getRenegotiationLimit() {
        return this._renegotiationLimit;
    }

    public void setRenegotiationLimit(int i) {
        this._renegotiationLimit = i;
    }

    @ManagedAttribute("The path to the certificate revocation list file")
    public String getCrlPath() {
        return this._crlPath;
    }

    public void setCrlPath(String str) {
        this._crlPath = str;
    }

    @ManagedAttribute("The maximum number of intermediate certificates")
    public int getMaxCertPathLength() {
        return this._maxCertPathLength;
    }

    public void setMaxCertPathLength(int i) {
        this._maxCertPathLength = i;
    }

    public SSLContext getSslContext() {
        if (!isStarted()) {
            return this._setContext;
        }
        AutoLock lock = this._lock.lock();
        try {
            if (this._factory == null) {
                throw new IllegalStateException("SslContextFactory reload failed");
            }
            SSLContext sSLContext = this._factory._context;
            if (lock != null) {
                lock.close();
            }
            return sSLContext;
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void setSslContext(SSLContext sSLContext) {
        this._setContext = sSLContext;
    }

    @ManagedAttribute("The endpoint identification algorithm")
    public String getEndpointIdentificationAlgorithm() {
        return this._endpointIdentificationAlgorithm;
    }

    public void setEndpointIdentificationAlgorithm(String str) {
        this._endpointIdentificationAlgorithm = str;
    }

    public PKIXCertPathChecker getPkixCertPathChecker() {
        return this._pkixCertPathChecker;
    }

    public void setPkixCertPathChecker(PKIXCertPathChecker pKIXCertPathChecker) {
        this._pkixCertPathChecker = pKIXCertPathChecker;
    }

    protected KeyStore loadKeyStore(Resource resource) throws Exception {
        return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), Objects.toString(this._keyStoreCredential, null));
    }

    protected KeyStore loadTrustStore(Resource resource) throws Exception {
        String objects = Objects.toString(getTrustStoreType(), getKeyStoreType());
        String objects2 = Objects.toString(getTrustStoreProvider(), getKeyStoreProvider());
        Credential credential = this._trustStoreCredential;
        if (resource == null || resource.equals(this._keyStoreResource)) {
            resource = this._keyStoreResource;
            if (credential == null) {
                credential = this._keyStoreCredential;
            }
        }
        return CertificateUtils.getKeyStore(resource, objects, objects2, Objects.toString(credential, null));
    }

    protected Collection<? extends CRL> loadCRL(String str) throws Exception {
        return CertificateUtils.loadCRL(str);
    }

    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception {
        String certAlias;
        KeyManager[] keyManagerArr = null;
        if (keyStore != null) {
            KeyManagerFactory keyManagerFactoryInstance = getKeyManagerFactoryInstance();
            keyManagerFactoryInstance.init(keyStore, this._keyManagerCredential == null ? this._keyStoreCredential == null ? null : this._keyStoreCredential.toString().toCharArray() : this._keyManagerCredential.toString().toCharArray());
            keyManagerArr = keyManagerFactoryInstance.getKeyManagers();
            if (keyManagerArr != null && (certAlias = getCertAlias()) != null) {
                for (int i = 0; i < keyManagerArr.length; i++) {
                    if (keyManagerArr[i] instanceof X509ExtendedKeyManager) {
                        keyManagerArr[i] = new AliasedX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i], certAlias);
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("managers={} for {}", keyManagerArr, this);
        }
        return keyManagerArr;
    }

    protected TrustManager[] getTrustManagers(KeyStore keyStore, Collection<? extends CRL> collection) throws Exception {
        TrustManager[] trustManagerArr = null;
        if (keyStore != null) {
            if (isValidatePeerCerts() && "PKIX".equalsIgnoreCase(getTrustManagerFactoryAlgorithm())) {
                PKIXBuilderParameters newPKIXBuilderParameters = newPKIXBuilderParameters(keyStore, collection);
                TrustManagerFactory trustManagerFactoryInstance = getTrustManagerFactoryInstance();
                trustManagerFactoryInstance.init(new CertPathTrustManagerParameters(newPKIXBuilderParameters));
                trustManagerArr = trustManagerFactoryInstance.getTrustManagers();
            } else {
                TrustManagerFactory trustManagerFactoryInstance2 = getTrustManagerFactoryInstance();
                trustManagerFactoryInstance2.init(keyStore);
                trustManagerArr = trustManagerFactoryInstance2.getTrustManagers();
            }
        }
        return trustManagerArr;
    }

    protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore keyStore, Collection<? extends CRL> collection) throws Exception {
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        pKIXBuilderParameters.setMaxPathLength(this._maxCertPathLength);
        pKIXBuilderParameters.setRevocationEnabled(true);
        if (this._pkixCertPathChecker != null) {
            pKIXBuilderParameters.addCertPathChecker(this._pkixCertPathChecker);
        }
        if (collection != null && !collection.isEmpty()) {
            pKIXBuilderParameters.addCertStore(getCertStoreInstance(collection));
        }
        if (this._enableCRLDP) {
            System.setProperty("com.sun.security.enableCRLDP", "true");
        }
        if (this._enableOCSP) {
            Security.setProperty("ocsp.enable", "true");
            if (this._ocspResponderURL != null) {
                Security.setProperty("ocsp.responderURL", this._ocspResponderURL);
            }
        }
        return pKIXBuilderParameters;
    }

    public void selectProtocols(String[] strArr, String[] strArr2) {
        List<String> processIncludeExcludePatterns = processIncludeExcludePatterns("Protocols", strArr, strArr2, this._includeProtocols, this._excludeProtocols);
        if (processIncludeExcludePatterns.isEmpty()) {
            LOG.warn("No selected Protocols from {}", Arrays.asList(strArr2));
        }
        this._selectedProtocols = (String[]) processIncludeExcludePatterns.toArray(new String[0]);
    }

    protected void selectCipherSuites(String[] strArr, String[] strArr2) {
        List<String> processIncludeExcludePatterns = processIncludeExcludePatterns("Cipher Suite", strArr, strArr2, this._includeCipherSuites, this._excludeCipherSuites);
        if (processIncludeExcludePatterns.isEmpty()) {
            LOG.warn("No supported Cipher Suite from {}", Arrays.asList(strArr2));
        }
        Comparator<String> cipherComparator = getCipherComparator();
        if (cipherComparator != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sorting selected ciphers with {}", cipherComparator);
            }
            processIncludeExcludePatterns.sort(cipherComparator);
        }
        this._selectedCipherSuites = (String[]) processIncludeExcludePatterns.toArray(new String[0]);
    }

    private List<String> processIncludeExcludePatterns(String str, String[] strArr, String[] strArr2, Set<String> set, Set<String> set2) {
        ArrayList arrayList = new ArrayList();
        if (set.isEmpty()) {
            arrayList.addAll(Arrays.asList(strArr));
        } else {
            for (String str2 : set) {
                Pattern compile = Pattern.compile(str2);
                boolean z = false;
                for (String str3 : strArr2) {
                    if (compile.matcher(str3).matches()) {
                        z = true;
                        arrayList.add(str3);
                    }
                }
                if (!z) {
                    LOG.info("No {} matching '{}' is supported", str, str2);
                }
            }
        }
        Iterator<String> it2 = set2.iterator();
        while (it2.hasNext()) {
            Pattern compile2 = Pattern.compile(it2.next());
            arrayList.removeIf(str4 -> {
                return compile2.matcher(str4).matches();
            });
        }
        return arrayList;
    }

    @Deprecated
    protected void processIncludeCipherSuites(String[] strArr, List<String> list) {
    }

    @Deprecated
    protected void removeExcludedCipherSuites(List<String> list) {
    }

    private void checkIsStarted() {
        if (!isStarted()) {
            throw new IllegalStateException("!STARTED: " + String.valueOf(this));
        }
    }

    @ManagedAttribute("Whether certificate revocation list distribution points is enabled")
    public boolean isEnableCRLDP() {
        return this._enableCRLDP;
    }

    public void setEnableCRLDP(boolean z) {
        this._enableCRLDP = z;
    }

    @ManagedAttribute("Whether online certificate status protocol support is enabled")
    public boolean isEnableOCSP() {
        return this._enableOCSP;
    }

    public void setEnableOCSP(boolean z) {
        this._enableOCSP = z;
    }

    @ManagedAttribute("The online certificate status protocol URL")
    public String getOcspResponderURL() {
        return this._ocspResponderURL;
    }

    public void setOcspResponderURL(String str) {
        this._ocspResponderURL = str;
    }

    public void setKeyStore(KeyStore keyStore) {
        this._setKeyStore = keyStore;
    }

    public KeyStore getKeyStore() {
        if (!isStarted()) {
            return this._setKeyStore;
        }
        AutoLock lock = this._lock.lock();
        try {
            if (this._factory == null) {
                throw new IllegalStateException("SslContextFactory reload failed");
            }
            KeyStore keyStore = this._factory._keyStore;
            if (lock != null) {
                lock.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void setTrustStore(KeyStore keyStore) {
        this._setTrustStore = keyStore;
    }

    public KeyStore getTrustStore() {
        if (!isStarted()) {
            return this._setTrustStore;
        }
        AutoLock lock = this._lock.lock();
        try {
            if (this._factory == null) {
                throw new IllegalStateException("SslContextFactory reload failed");
            }
            KeyStore keyStore = this._factory._trustStore;
            if (lock != null) {
                lock.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void setKeyStoreResource(Resource resource) {
        this._keyStoreResource = resource;
    }

    public Resource getKeyStoreResource() {
        return this._keyStoreResource;
    }

    public void setTrustStoreResource(Resource resource) {
        this._trustStoreResource = resource;
    }

    public Resource getTrustStoreResource() {
        return this._trustStoreResource;
    }

    @ManagedAttribute("Whether TLS session caching is enabled")
    public boolean isSessionCachingEnabled() {
        return this._sessionCachingEnabled;
    }

    public void setSessionCachingEnabled(boolean z) {
        this._sessionCachingEnabled = z;
    }

    @ManagedAttribute("The maximum TLS session cache size")
    public int getSslSessionCacheSize() {
        return this._sslSessionCacheSize;
    }

    public void setSslSessionCacheSize(int i) {
        this._sslSessionCacheSize = i;
    }

    @ManagedAttribute("The TLS session cache timeout, in seconds")
    public int getSslSessionTimeout() {
        return this._sslSessionTimeout;
    }

    public void setSslSessionTimeout(int i) {
        this._sslSessionTimeout = i;
    }

    public HostnameVerifier getHostnameVerifier() {
        return this._hostnameVerifier;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        this._hostnameVerifier = hostnameVerifier;
    }

    @Deprecated(since = "12.0.13", forRemoval = true)
    protected Password getPassword(String str) {
        String property = System.getProperty(str);
        if (property == null) {
            return null;
        }
        return newPassword(property);
    }

    @Deprecated(since = "12.0.13", forRemoval = true)
    public Password newPassword(String str) {
        return new Password(str);
    }

    protected Credential getCredential(String str) {
        if (TypeUtil.isDeclaredMethodOn(this, "getPassword", String.class)) {
            return getPassword(str);
        }
        String property = System.getProperty(str);
        if (property == null) {
            return null;
        }
        return newCredential(property);
    }

    public Credential newCredential(String str) {
        return TypeUtil.isDeclaredMethodOn(this, "newPassword", String.class) ? newPassword(str) : Credential.getCredential(str);
    }

    public SSLServerSocket newSslServerSocket(String str, int i, int i2) throws IOException {
        checkIsStarted();
        SSLServerSocketFactory serverSocketFactory = getSslContext().getServerSocketFactory();
        SSLServerSocket sSLServerSocket = (SSLServerSocket) (str == null ? serverSocketFactory.createServerSocket(i, i2) : serverSocketFactory.createServerSocket(i, i2, InetAddress.getByName(str)));
        sSLServerSocket.setSSLParameters(customize(sSLServerSocket.getSSLParameters()));
        return sSLServerSocket;
    }

    public SSLSocket newSslSocket() throws IOException {
        checkIsStarted();
        SSLSocket sSLSocket = (SSLSocket) getSslContext().getSocketFactory().createSocket();
        sSLSocket.setSSLParameters(customize(sSLSocket.getSSLParameters()));
        return sSLSocket;
    }

    protected CertificateFactory getCertificateFactoryInstance(String str) throws CertificateException {
        String provider = getProvider();
        if (provider != null) {
            try {
                return CertificateFactory.getInstance(str, provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get CertificateFactory instance for type [%s] on provider [%s], using default", str, provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return CertificateFactory.getInstance(str);
    }

    protected CertStore getCertStoreInstance(Collection<? extends CRL> collection) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        String provider = getProvider();
        if (provider != null) {
            try {
                return CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection), provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get CertStore instance for type [%s] on provider [%s], using default", "Collection", provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection));
    }

    protected KeyManagerFactory getKeyManagerFactoryInstance() throws NoSuchAlgorithmException {
        String keyManagerFactoryAlgorithm = getKeyManagerFactoryAlgorithm();
        String provider = getProvider();
        if (provider != null) {
            try {
                return KeyManagerFactory.getInstance(keyManagerFactoryAlgorithm, provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get KeyManagerFactory instance for algorithm [%s] on provider [%s], using default", keyManagerFactoryAlgorithm, provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return KeyManagerFactory.getInstance(keyManagerFactoryAlgorithm);
    }

    protected SecureRandom getSecureRandomInstance() throws NoSuchAlgorithmException {
        String secureRandomAlgorithm = getSecureRandomAlgorithm();
        if (secureRandomAlgorithm == null) {
            return null;
        }
        String provider = getProvider();
        if (provider != null) {
            try {
                return SecureRandom.getInstance(secureRandomAlgorithm, provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get SecureRandom instance for algorithm [%s] on provider [%s], using default", secureRandomAlgorithm, provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return SecureRandom.getInstance(secureRandomAlgorithm);
    }

    protected SSLContext getSSLContextInstance() throws NoSuchAlgorithmException {
        String protocol = getProtocol();
        String provider = getProvider();
        if (provider != null) {
            try {
                return SSLContext.getInstance(protocol, provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get SSLContext instance for protocol [%s] on provider [%s], using default", protocol, provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return SSLContext.getInstance(protocol);
    }

    protected TrustManagerFactory getTrustManagerFactoryInstance() throws NoSuchAlgorithmException {
        String trustManagerFactoryAlgorithm = getTrustManagerFactoryAlgorithm();
        String provider = getProvider();
        if (provider != null) {
            try {
                return TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm, provider);
            } catch (Throwable th) {
                String format = String.format("Unable to get TrustManagerFactory instance for algorithm [%s] on provider [%s], using default", trustManagerFactoryAlgorithm, provider);
                if (LOG.isDebugEnabled()) {
                    LOG.debug(format, th);
                } else {
                    LOG.info(format);
                }
            }
        }
        return TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm);
    }

    public SSLEngine newSSLEngine() {
        checkIsStarted();
        SSLEngine createSSLEngine = getSslContext().createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(String str, int i) {
        checkIsStarted();
        SSLContext sslContext = getSslContext();
        SSLEngine createSSLEngine = isSessionCachingEnabled() ? sslContext.createSSLEngine(str, i) : sslContext.createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(InetSocketAddress inetSocketAddress) {
        return inetSocketAddress == null ? newSSLEngine() : newSSLEngine(inetSocketAddress.getHostString(), inetSocketAddress.getPort());
    }

    public void customize(SSLEngine sSLEngine) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Customize {}", sSLEngine);
        }
        sSLEngine.setSSLParameters(customize(sSLEngine.getSSLParameters()));
    }

    public SSLParameters customize(SSLParameters sSLParameters) {
        sSLParameters.setEndpointIdentificationAlgorithm(getEndpointIdentificationAlgorithm());
        sSLParameters.setUseCipherSuitesOrder(isUseCipherSuitesOrder());
        if (!this._certHosts.isEmpty() || !this._certWilds.isEmpty()) {
            sSLParameters.setSNIMatchers(List.of(new AliasSNIMatcher()));
        }
        if (this._selectedCipherSuites != null) {
            sSLParameters.setCipherSuites(this._selectedCipherSuites);
        }
        if (this._selectedProtocols != null) {
            sSLParameters.setProtocols(this._selectedProtocols);
        }
        if (this instanceof Server) {
            Server server = (Server) this;
            if (server.getWantClientAuth()) {
                sSLParameters.setWantClientAuth(true);
            }
            if (server.getNeedClientAuth()) {
                sSLParameters.setNeedClientAuth(true);
            }
        }
        return sSLParameters;
    }

    public void reload(Consumer<SslContextFactory> consumer) throws Exception {
        AutoLock lock = this._lock.lock();
        try {
            consumer.accept(this);
            unload();
            load();
            if (lock != null) {
                lock.close();
            }
        } catch (Throwable th) {
            if (lock != null) {
                try {
                    lock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public X509Certificate[] getX509CertChain(SSLSession sSLSession) {
        return getX509CertChain(this._x509CertificateFactory, sSLSession);
    }

    public static X509Certificate[] getCertChain(SSLSession sSLSession) {
        return getX509CertChain(null, sSLSession);
    }

    private static X509Certificate[] getX509CertChain(CertificateFactory certificateFactory, SSLSession sSLSession) {
        if (certificateFactory == null) {
            try {
                certificateFactory = CertificateFactory.getInstance(X_509);
            } catch (SSLPeerUnverifiedException e) {
                return null;
            } catch (Exception e2) {
                LOG.warn("Unable to get X509CertChain", (Throwable) e2);
                return null;
            }
        }
        Certificate[] peerCertificates = sSLSession.getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length == 0) {
            return null;
        }
        int length = peerCertificates.length;
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        for (int i = 0; i < length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(peerCertificates[i].getEncoded()));
        }
        return x509CertificateArr;
    }

    public static int deduceKeyLength(String str) {
        if (str == null) {
            return 0;
        }
        if (str.contains("WITH_3DES_EDE_CBC_")) {
            return 168;
        }
        if (str.contains("WITH_IDEA_CBC_")) {
            return BlockingArrayQueue.DEFAULT_CAPACITY;
        }
        if (str.contains("WITH_DES40_CBC_")) {
            return 40;
        }
        if (str.contains("WITH_DES_CBC_")) {
            return 56;
        }
        Matcher matcher = KEY_SIZE_PATTERN.matcher(str);
        if (!matcher.find()) {
            return 0;
        }
        try {
            return Integer.parseInt(matcher.group(1));
        } catch (NumberFormatException e) {
            if (!LOG.isTraceEnabled()) {
                return 0;
            }
            LOG.trace("unknown key length", (Throwable) e);
            return 0;
        }
    }

    public void validateCerts(X509Certificate[] x509CertificateArr) throws Exception {
        new CertificateValidator(loadTrustStore(this._trustStoreResource), loadCRL(this._crlPath)).validate(x509CertificateArr);
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public String toString() {
        return String.format("%s@%x[provider=%s,keyStore=%s,trustStore=%s]", getClass().getSimpleName(), Integer.valueOf(hashCode()), this._sslProvider, this._keyStoreResource, this._trustStoreResource);
    }
}
