package org.springframework.boot.web.embedded.tomcat;

import ch.qos.logback.core.joran.spi.ConfigurationWatchList;
import java.util.Map;
import org.apache.catalina.connector.Connector;
import org.apache.commons.logging.Log;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.springframework.boot.ssl.SslBundle;
import org.springframework.boot.ssl.SslBundleKey;
import org.springframework.boot.ssl.SslOptions;
import org.springframework.boot.ssl.SslStoreBundle;
import org.springframework.boot.web.server.Ssl;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.validation.DefaultBindingErrorProcessor;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-boot-3.4.4.jar:org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.class */
public class SslConnectorCustomizer {
    private final Log logger;
    private final Ssl.ClientAuth clientAuth;
    private final Connector connector;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslConnectorCustomizer(Log log, Connector connector, Ssl.ClientAuth clientAuth) {
        this.logger = log;
        this.clientAuth = clientAuth;
        this.connector = connector;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void update(String str, SslBundle sslBundle) {
        AbstractHttp11Protocol<?> abstractHttp11Protocol = (AbstractHttp11Protocol) this.connector.getProtocolHandler();
        String defaultSSLHostConfigName = str != null ? str : abstractHttp11Protocol.getDefaultSSLHostConfigName();
        this.logger.debug("SSL Bundle for host " + defaultSSLHostConfigName + " has been updated, reloading SSL configuration");
        addSslHostConfig(abstractHttp11Protocol, defaultSSLHostConfigName, sslBundle);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void customize(SslBundle sslBundle, Map<String, SslBundle> map) {
        ProtocolHandler protocolHandler = this.connector.getProtocolHandler();
        Assert.state(protocolHandler instanceof AbstractHttp11Protocol, "To use SSL, the connector's protocol handler must be an AbstractHttp11Protocol subclass");
        configureSsl((AbstractHttp11Protocol) protocolHandler, sslBundle, map);
        this.connector.setScheme(ConfigurationWatchList.HTTPS_PROTOCOL_STR);
        this.connector.setSecure(true);
    }

    private void configureSsl(AbstractHttp11Protocol<?> abstractHttp11Protocol, SslBundle sslBundle, Map<String, SslBundle> map) {
        abstractHttp11Protocol.setSSLEnabled(true);
        if (sslBundle != null) {
            addSslHostConfig(abstractHttp11Protocol, abstractHttp11Protocol.getDefaultSSLHostConfigName(), sslBundle);
        }
        map.forEach((str, sslBundle2) -> {
            addSslHostConfig(abstractHttp11Protocol, str, sslBundle2);
        });
    }

    private void addSslHostConfig(AbstractHttp11Protocol<?> abstractHttp11Protocol, String str, SslBundle sslBundle) {
        SSLHostConfig sSLHostConfig = new SSLHostConfig();
        sSLHostConfig.setHostName(str);
        configureSslClientAuth(sSLHostConfig);
        applySslBundle(abstractHttp11Protocol, sSLHostConfig, sslBundle);
        abstractHttp11Protocol.addSslHostConfig(sSLHostConfig, true);
    }

    private void applySslBundle(AbstractHttp11Protocol<?> abstractHttp11Protocol, SSLHostConfig sSLHostConfig, SslBundle sslBundle) {
        SslBundleKey key = sslBundle.getKey();
        SslStoreBundle stores = sslBundle.getStores();
        SslOptions options = sslBundle.getOptions();
        sSLHostConfig.setSslProtocol(sslBundle.getProtocol());
        SSLHostConfigCertificate sSLHostConfigCertificate = new SSLHostConfigCertificate(sSLHostConfig, SSLHostConfigCertificate.Type.UNDEFINED);
        sSLHostConfigCertificate.setCertificateKeystorePassword(stores.getKeyStorePassword() != null ? stores.getKeyStorePassword() : "");
        if (key.getPassword() != null) {
            sSLHostConfigCertificate.setCertificateKeyPassword(key.getPassword());
        }
        if (key.getAlias() != null) {
            sSLHostConfigCertificate.setCertificateKeyAlias(key.getAlias());
        }
        sSLHostConfig.addCertificate(sSLHostConfigCertificate);
        if (options.getCiphers() != null) {
            sSLHostConfig.setCiphers(StringUtils.arrayToCommaDelimitedString(options.getCiphers()));
        }
        configureSslStores(sSLHostConfig, sSLHostConfigCertificate, stores);
        configureEnabledProtocols(sSLHostConfig, options);
    }

    private void configureEnabledProtocols(SSLHostConfig sSLHostConfig, SslOptions sslOptions) {
        if (sslOptions.getEnabledProtocols() != null) {
            sSLHostConfig.setProtocols(StringUtils.arrayToDelimitedString(sslOptions.getEnabledProtocols(), "+"));
        }
    }

    private void configureSslClientAuth(SSLHostConfig sSLHostConfig) {
        sSLHostConfig.setCertificateVerification((String) Ssl.ClientAuth.map(this.clientAuth, "none", "optional", DefaultBindingErrorProcessor.MISSING_FIELD_ERROR_CODE));
    }

    private void configureSslStores(SSLHostConfig sSLHostConfig, SSLHostConfigCertificate sSLHostConfigCertificate, SslStoreBundle sslStoreBundle) {
        try {
            if (sslStoreBundle.getKeyStore() != null) {
                sSLHostConfigCertificate.setCertificateKeystore(sslStoreBundle.getKeyStore());
            }
            if (sslStoreBundle.getTrustStore() != null) {
                sSLHostConfig.setTrustStore(sslStoreBundle.getTrustStore());
            }
        } catch (Exception e) {
            throw new IllegalStateException("Could not load store: " + e.getMessage(), e);
        }
    }
}
