package org.springframework.boot.web.embedded.tomcat;

import org.apache.catalina.connector.Connector;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.coyote.http11.Http11NioProtocol;
import org.apache.pulsar.shade.org.asynchttpclient.uri.Uri;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.springframework.boot.ssl.SslBundle;
import org.springframework.boot.ssl.SslBundleKey;
import org.springframework.boot.ssl.SslOptions;
import org.springframework.boot.ssl.SslStoreBundle;
import org.springframework.boot.web.server.Ssl;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.validation.DefaultBindingErrorProcessor;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-boot-3.1.3.jar:org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.class */
public class SslConnectorCustomizer implements TomcatConnectorCustomizer {
    private final Ssl.ClientAuth clientAuth;
    private final SslBundle sslBundle;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslConnectorCustomizer(Ssl.ClientAuth clientAuth, SslBundle sslBundle) {
        this.clientAuth = clientAuth;
        this.sslBundle = sslBundle;
    }

    @Override // org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer
    public void customize(Connector connector) {
        ProtocolHandler protocolHandler = connector.getProtocolHandler();
        Assert.state(protocolHandler instanceof AbstractHttp11JsseProtocol, "To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass");
        configureSsl((AbstractHttp11JsseProtocol) protocolHandler);
        connector.setScheme(Uri.HTTPS);
        connector.setSecure(true);
    }

    void configureSsl(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol) {
        SslBundleKey key = this.sslBundle.getKey();
        SslStoreBundle stores = this.sslBundle.getStores();
        SslOptions options = this.sslBundle.getOptions();
        abstractHttp11JsseProtocol.setSSLEnabled(true);
        SSLHostConfig sSLHostConfig = new SSLHostConfig();
        sSLHostConfig.setHostName(abstractHttp11JsseProtocol.getDefaultSSLHostConfigName());
        sSLHostConfig.setSslProtocol(this.sslBundle.getProtocol());
        abstractHttp11JsseProtocol.addSslHostConfig(sSLHostConfig);
        configureSslClientAuth(sSLHostConfig);
        SSLHostConfigCertificate sSLHostConfigCertificate = new SSLHostConfigCertificate(sSLHostConfig, SSLHostConfigCertificate.Type.UNDEFINED);
        sSLHostConfigCertificate.setCertificateKeystorePassword(stores.getKeyStorePassword() != null ? stores.getKeyStorePassword() : "");
        if (key.getPassword() != null) {
            sSLHostConfigCertificate.setCertificateKeyPassword(key.getPassword());
        }
        if (key.getAlias() != null) {
            sSLHostConfigCertificate.setCertificateKeyAlias(key.getAlias());
        }
        sSLHostConfig.addCertificate(sSLHostConfigCertificate);
        if (options.getCiphers() != null) {
            sSLHostConfig.setCiphers(StringUtils.arrayToCommaDelimitedString(options.getCiphers()));
        }
        configureEnabledProtocols(abstractHttp11JsseProtocol);
        configureSslStoreProvider(abstractHttp11JsseProtocol, sSLHostConfig, sSLHostConfigCertificate);
    }

    private void configureEnabledProtocols(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol) {
        SslOptions options = this.sslBundle.getOptions();
        if (options.getEnabledProtocols() != null) {
            String arrayToDelimitedString = StringUtils.arrayToDelimitedString(options.getEnabledProtocols(), "+");
            for (SSLHostConfig sSLHostConfig : abstractHttp11JsseProtocol.findSslHostConfigs()) {
                sSLHostConfig.setProtocols(arrayToDelimitedString);
            }
        }
    }

    private void configureSslClientAuth(SSLHostConfig sSLHostConfig) {
        sSLHostConfig.setCertificateVerification((String) Ssl.ClientAuth.map(this.clientAuth, "none", "optional", DefaultBindingErrorProcessor.MISSING_FIELD_ERROR_CODE));
    }

    protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, SSLHostConfig sSLHostConfig, SSLHostConfigCertificate sSLHostConfigCertificate) {
        Assert.isInstanceOf((Class<?>) Http11NioProtocol.class, abstractHttp11JsseProtocol, "SslStoreProvider can only be used with Http11NioProtocol");
        try {
            SslStoreBundle stores = this.sslBundle.getStores();
            if (stores.getKeyStore() != null) {
                sSLHostConfigCertificate.setCertificateKeystore(stores.getKeyStore());
            }
            if (stores.getTrustStore() != null) {
                sSLHostConfig.setTrustStore(stores.getTrustStore());
            }
        } catch (Exception e) {
            throw new IllegalStateException("Could not load store: " + e.getMessage(), e);
        }
    }
}
