package org.ops4j.pax.web.service.undertow.internal;

import io.undertow.UndertowOptions;
import io.undertow.connector.ByteBufferPool;
import io.undertow.protocols.ssl.UndertowXnioSsl;
import io.undertow.server.DefaultByteBufferPool;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.CookieSameSiteMode;
import io.undertow.server.handlers.DisallowedMethodsHandler;
import io.undertow.server.handlers.PeerNameResolvingHandler;
import io.undertow.server.handlers.ProxyPeerAddressHandler;
import io.undertow.server.handlers.SSLHeaderHandler;
import io.undertow.server.handlers.SameSiteCookieHandler;
import io.undertow.server.protocol.http.AlpnOpenListener;
import io.undertow.server.protocol.http.HttpOpenListener;
import io.undertow.server.protocol.http2.Http2OpenListener;
import io.undertow.server.protocol.http2.Http2UpgradeHandler;
import io.undertow.server.protocol.proxy.ProxyProtocolOpenListener;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.FilterInfo;
import io.undertow.servlet.api.FilterMappingInfo;
import io.undertow.servlet.api.ServletInfo;
import io.undertow.servlet.handlers.MarkSecureHandler;
import io.undertow.util.HttpString;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Stream;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.ops4j.pax.web.service.spi.config.Configuration;
import org.ops4j.pax.web.service.spi.config.SecurityConfiguration;
import org.ops4j.pax.web.service.spi.model.elements.FilterModel;
import org.ops4j.pax.web.service.undertow.configuration.model.IoSubsystem;
import org.ops4j.pax.web.service.undertow.configuration.model.SecurityRealm;
import org.ops4j.pax.web.service.undertow.configuration.model.Server;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xnio.ChannelListeners;
import org.xnio.Option;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.Sequence;
import org.xnio.SslClientAuthMode;
import org.xnio.StreamConnection;
import org.xnio.Xnio;
import org.xnio.XnioProvider;
import org.xnio.XnioWorker;
import org.xnio.channels.AcceptingChannel;

/* loaded from: input_file:org/ops4j/pax/web/service/undertow/internal/UndertowFactory.class */
public class UndertowFactory {
    public static final Option<String> PAX_WEB_CONNECTOR_NAME = Option.simple(UndertowFactory.class, "PAX_WEB_CONNECTOR_NAME", String.class);
    private static final Logger LOG = LoggerFactory.getLogger(UndertowFactory.class);
    private final ClassLoader classLoader;
    private final Xnio xnio;
    private boolean http2Available;
    private long maxMemory;
    private OptionMap commonSocketOptions;
    private XnioWorker defaultWorker;
    private ByteBufferPool defaultBufferPool;

    /* loaded from: input_file:org/ops4j/pax/web/service/undertow/internal/UndertowFactory$AcceptingChannelWithAddress.class */
    public static class AcceptingChannelWithAddress {
        private final AcceptingChannel<? extends StreamConnection> acceptingChannel;
        private final InetSocketAddress address;
        private boolean secure;

        public AcceptingChannelWithAddress(AcceptingChannel<? extends StreamConnection> acceptingChannel, InetSocketAddress inetSocketAddress) {
            this.acceptingChannel = acceptingChannel;
            this.address = inetSocketAddress;
        }

        public AcceptingChannel<? extends StreamConnection> getAcceptingChannel() {
            return this.acceptingChannel;
        }

        public InetSocketAddress getAddress() {
            return this.address;
        }

        public boolean isSecure() {
            return this.secure;
        }

        public void setSecure(boolean z) {
            this.secure = z;
        }

        public String toString() {
            return "AcceptingChannelWithAddress{acceptingChannel=" + this.acceptingChannel + ", address=" + this.address + ", secure=" + this.secure + "}";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UndertowFactory(ClassLoader classLoader, XnioProvider xnioProvider) {
        this.classLoader = classLoader;
        this.xnio = xnioProvider.getInstance();
        discovery();
    }

    private void discovery() {
        this.maxMemory = Runtime.getRuntime().maxMemory();
        this.commonSocketOptions = OptionMap.builder().set(Options.TCP_NODELAY, true).set(Options.REUSE_ADDRESSES, true).set(Options.BALANCING_TOKENS, 1).set(Options.BALANCING_CONNECTIONS, 2).getMap();
        IoSubsystem.BufferPool bufferPool = new IoSubsystem.BufferPool();
        bufferPool.setName("default");
        this.defaultBufferPool = createBufferPool(bufferPool);
        try {
            this.classLoader.loadClass("io.undertow.server.protocol.http2.Http2UpgradeHandler");
            this.http2Available = true;
        } catch (ClassNotFoundException e) {
            this.http2Available = false;
        }
    }

    public XnioWorker createWorker(IoSubsystem.Worker worker) throws IOException {
        return this.xnio.createWorker(OptionMap.builder().set(Options.WORKER_NAME, worker.getName()).set(Options.THREAD_DAEMON, false).set(Options.STACK_SIZE, worker.getStackSize()).set(Options.WORKER_IO_THREADS, worker.getIoThreads()).set(Options.WORKER_TASK_KEEPALIVE, worker.getTaskKeepalive()).set(Options.WORKER_TASK_CORE_THREADS, worker.getTaskCoreThreads()).set(Options.WORKER_TASK_MAX_THREADS, worker.getTaskMaxThreads()).getMap());
    }

    public ByteBufferPool createBufferPool(IoSubsystem.BufferPool bufferPool) {
        boolean z = this.maxMemory >= 67108864;
        Integer bufferSize = bufferPool.getBufferSize();
        if (bufferSize == null) {
            bufferSize = this.maxMemory >= 134217728 ? 16364 : 1024;
        }
        return new DefaultByteBufferPool(z, bufferSize.intValue(), -1, 12, 0);
    }

    public XnioWorker getDefaultWorker(Configuration configuration) {
        if (this.defaultWorker == null) {
            IoSubsystem.Worker worker = new IoSubsystem.Worker();
            if (configuration.server().getServerThreadNamePrefix() != null) {
                worker.setName(configuration.server().getServerThreadNamePrefix());
            } else {
                worker.setName("XNIO-default");
            }
            if (configuration.server().getServerMaxThreads() != null) {
                worker.setTaskCoreThreads(configuration.server().getServerMaxThreads().intValue());
                worker.setTaskMaxThreads(configuration.server().getServerMaxThreads().intValue());
            }
            try {
                this.defaultWorker = createWorker(worker);
            } catch (IOException e) {
                throw new IllegalStateException("Can't create default worker for Undertow: " + e.getMessage(), e);
            }
        }
        return this.defaultWorker;
    }

    public void closeDefaultPoolAndBuffer() {
        if (this.defaultWorker != null) {
            this.defaultWorker.shutdown();
            this.defaultWorker = null;
        }
        if (this.defaultBufferPool != null) {
            this.defaultBufferPool.close();
            IoSubsystem.BufferPool bufferPool = new IoSubsystem.BufferPool();
            bufferPool.setName("default");
            this.defaultBufferPool = createBufferPool(bufferPool);
        }
    }

    public XnioWorker createLogWorker() throws IOException {
        return this.xnio.createWorker(OptionMap.builder().set(Options.WORKER_NAME, "log-xnio").set(Options.WORKER_TASK_CORE_THREADS, 1).set(Options.WORKER_TASK_MAX_THREADS, 1).set(Options.THREAD_DAEMON, true).set(Options.WORKER_IO_THREADS, 1).getMap());
    }

    public ByteBufferPool getDefaultBufferPool() {
        return this.defaultBufferPool;
    }

    public AcceptingChannelWithAddress createDefaultListener(String str, HttpHandler httpHandler, Configuration configuration) {
        Server.HttpListener httpListener = new Server.HttpListener();
        httpListener.setEnableHttp2(true);
        httpListener.setHttp2EnablePush(true);
        return createListener(str, httpHandler, configuration, httpListener, new InetSocketAddress(str, configuration.server().getHttpPort().intValue()));
    }

    public AcceptingChannelWithAddress createSecureListener(String str, HttpHandler httpHandler, Configuration configuration) {
        Server.HttpsListener httpsListener = new Server.HttpsListener();
        httpsListener.setEnableHttp2(true);
        httpsListener.setHttp2EnablePush(true);
        AcceptingChannelWithAddress createListener = createListener(str, httpHandler, configuration, httpsListener, new InetSocketAddress(str, configuration.server().getHttpSecurePort().intValue()));
        createListener.setSecure(true);
        return createListener;
    }

    private AcceptingChannelWithAddress createListener(String str, HttpHandler httpHandler, Configuration configuration, Server.Listener listener, InetSocketAddress inetSocketAddress) {
        try {
            return new AcceptingChannelWithAddress(createListener(configuration, listener, httpHandler, null, getDefaultWorker(configuration), this.defaultBufferPool, inetSocketAddress), inetSocketAddress);
        } catch (IOException e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    public AcceptingChannel<? extends StreamConnection> createListener(Configuration configuration, Server.Listener listener, HttpHandler httpHandler, SecurityRealm securityRealm, XnioWorker xnioWorker, ByteBufferPool byteBufferPool, InetSocketAddress inetSocketAddress) throws IOException {
        OptionMap.Builder addAll = OptionMap.builder().addAll(this.commonSocketOptions);
        prepareListenerOptionsBuilder(addAll, listener);
        OptionMap map = addAll.getMap();
        OptionMap.Builder builder = OptionMap.builder();
        HttpHandler prepareUndertowOptionsBuilder = prepareUndertowOptionsBuilder(configuration, builder, listener, httpHandler);
        OptionMap map2 = builder.getMap();
        AlpnOpenListener httpOpenListener = new HttpOpenListener(byteBufferPool, map2);
        httpOpenListener.setRootHandler(prepareUndertowOptionsBuilder);
        AlpnOpenListener alpnOpenListener = httpOpenListener;
        if ((listener instanceof Server.HttpsListener) && this.http2Available && listener.isEnableHttp2()) {
            AlpnOpenListener alpnOpenListener2 = new AlpnOpenListener(byteBufferPool, map2, httpOpenListener);
            Http2OpenListener http2OpenListener = new Http2OpenListener(byteBufferPool, map2);
            http2OpenListener.setRootHandler(prepareUndertowOptionsBuilder);
            alpnOpenListener2.addProtocol("h2", http2OpenListener, 10);
            alpnOpenListener = alpnOpenListener2;
        }
        AlpnOpenListener alpnOpenListener3 = alpnOpenListener;
        if (listener instanceof Server.HttpListener) {
            if (((Server.HttpListener) listener).isProxyProtocol()) {
                alpnOpenListener3 = new ProxyProtocolOpenListener(alpnOpenListener, (UndertowXnioSsl) null, byteBufferPool, OptionMap.EMPTY);
            }
            return xnioWorker.createStreamConnectionServer(inetSocketAddress, ChannelListeners.openListenerAdapter(alpnOpenListener3), map);
        }
        if (!(listener instanceof Server.HttpsListener)) {
            throw new IllegalArgumentException("Can't handle listener definition " + listener);
        }
        Server.HttpsListener httpsListener = (Server.HttpsListener) listener;
        OptionMap.Builder builder2 = OptionMap.builder();
        builder2.addAll(map);
        if (httpsListener.getVerifyClient() != null) {
            builder2.set(Options.SSL_CLIENT_AUTH_MODE, httpsListener.getVerifyClient());
        }
        if (configuration.security().isClientAuthWanted().booleanValue()) {
            builder2.set(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUESTED);
        }
        if (configuration.security().isClientAuthNeeded().booleanValue()) {
            builder2.set(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
        }
        if (httpsListener.getSslSessionCacheSize() > 0) {
            builder2.set(Options.SSL_ENABLE_SESSION_CREATION, true);
            builder2.set(Options.SSL_CLIENT_SESSION_CACHE_SIZE, httpsListener.getSslSessionCacheSize());
            builder2.set(Options.SSL_SERVER_SESSION_CACHE_SIZE, httpsListener.getSslSessionCacheSize());
        }
        builder2.set(Options.SSL_CLIENT_SESSION_TIMEOUT, httpsListener.getSslSessionTimeout());
        builder2.set(Options.SSL_SERVER_SESSION_TIMEOUT, httpsListener.getSslSessionTimeout());
        SecurityRealm.Engine engine = null;
        if (securityRealm != null && securityRealm.getIdentities() != null && securityRealm.getIdentities().getSsl() != null && securityRealm.getIdentities().getSsl().getEngine() != null) {
            engine = securityRealm.getIdentities().getSsl().getEngine();
        }
        List<String> enabledCipherSuites = httpsListener.getEnabledCipherSuites();
        if (enabledCipherSuites.size() > 0 && engine != null && engine.getEnabledCipherSuites().size() > 0) {
            LOG.warn("Enabled cipher suites specified both for https-listener and ssl/engine. Cipher suites from the https-listener will be used.");
        }
        if (enabledCipherSuites.size() == 0 && engine != null) {
            enabledCipherSuites = engine.getEnabledCipherSuites();
        }
        if (enabledCipherSuites.size() == 0 && configuration.security().getCiphersuiteIncluded().length > 0) {
            enabledCipherSuites = Arrays.asList(configuration.security().getCiphersuiteIncluded());
        }
        if (enabledCipherSuites.size() > 0) {
            builder2.set(Options.SSL_ENABLED_CIPHER_SUITES, Sequence.of(enabledCipherSuites));
        }
        List<String> enabledProtocols = httpsListener.getEnabledProtocols();
        if (enabledProtocols.size() > 0 && engine != null && engine.getEnabledProtocols().size() > 0) {
            LOG.warn("Enabled protocols specified both for https-listener and ssl/engine. Protocols from the https-listener will be used.");
        }
        if (enabledProtocols.size() == 0 && engine != null) {
            enabledProtocols = engine.getEnabledProtocols();
        }
        if (enabledProtocols.size() == 0 && configuration.security().getProtocolsIncluded().length > 0) {
            enabledProtocols = Arrays.asList(configuration.security().getProtocolsIncluded());
        }
        if (enabledProtocols.size() > 0) {
            builder2.set(Options.SSL_ENABLED_PROTOCOLS, Sequence.of(enabledProtocols));
        }
        builder2.set(UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER, true);
        OptionMap map3 = builder2.getMap();
        UndertowXnioSsl undertowXnioSsl = new UndertowXnioSsl(this.xnio, map3, byteBufferPool, buildSSLContext(configuration, httpsListener, securityRealm));
        if (httpsListener.isProxyProtocol()) {
            alpnOpenListener3 = new ProxyProtocolOpenListener(alpnOpenListener, undertowXnioSsl, byteBufferPool, map3);
        }
        return undertowXnioSsl.createSslConnectionServer(xnioWorker, inetSocketAddress, ChannelListeners.openListenerAdapter(alpnOpenListener3), map3);
    }

    private void prepareListenerOptionsBuilder(OptionMap.Builder builder, Server.Listener listener) {
        builder.set(Options.RECEIVE_BUFFER, listener.getReceiveBuffer());
        builder.set(Options.SEND_BUFFER, listener.getSendBuffer());
        builder.set(Options.BACKLOG, listener.getTcpBacklog());
        builder.set(Options.KEEP_ALIVE, listener.isTcpKeepAlive());
        builder.set(Options.READ_TIMEOUT, listener.getReadTimeout());
        builder.set(Options.WRITE_TIMEOUT, listener.getWriteTimeout());
        builder.set(Options.CONNECTION_HIGH_WATER, listener.getMaxConnections());
        builder.set(Options.CONNECTION_LOW_WATER, listener.getMaxConnections());
    }

    private HttpHandler prepareUndertowOptionsBuilder(Configuration configuration, OptionMap.Builder builder, Server.Listener listener, HttpHandler httpHandler) {
        builder.set(UndertowOptions.BUFFER_PIPELINED_DATA, listener.isBufferPipelinedData());
        builder.set(UndertowOptions.ENABLE_STATISTICS, false);
        builder.set(UndertowOptions.MAX_PARAMETERS, listener.getMaxParameters());
        builder.set(UndertowOptions.MAX_HEADERS, listener.getMaxHeaders());
        builder.set(UndertowOptions.MAX_COOKIES, listener.getMaxCookies());
        builder.set(UndertowOptions.MAX_ENTITY_SIZE, listener.getMaxPostSize());
        builder.set(UndertowOptions.MAX_HEADER_SIZE, listener.getMaxHeaderSize());
        builder.set(UndertowOptions.MAX_BUFFERED_REQUEST_SIZE, listener.getMaxBufferedRequestSize());
        builder.set(UndertowOptions.BUFFER_PIPELINED_DATA, listener.isBufferPipelinedData());
        builder.set(UndertowOptions.DECODE_URL, listener.isDecodeUrl());
        builder.set(UndertowOptions.ALLOW_ENCODED_SLASH, listener.isAllowEncodedSlash());
        builder.set(UndertowOptions.ALLOW_EQUALS_IN_COOKIE_VALUE, listener.isAllowEqualsInCookieValue());
        builder.set(UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL, listener.isAllowUnescapedCharactersInUrl());
        builder.set(UndertowOptions.URL_CHARSET, listener.getUrlCharset());
        builder.set(UndertowOptions.ALWAYS_SET_KEEP_ALIVE, listener.isAlwaysSetKeepAlive());
        builder.set(UndertowOptions.NO_REQUEST_TIMEOUT, listener.getNoRequestTimeout());
        builder.set(UndertowOptions.REQUEST_PARSE_TIMEOUT, listener.getRequestParseTimeout());
        builder.set(UndertowOptions.RECORD_REQUEST_START_TIME, listener.isRecordRequestStartTime());
        if (configuration.server().getConnectorIdleTimeout() != null) {
            builder.set(UndertowOptions.IDLE_TIMEOUT, configuration.server().getConnectorIdleTimeout());
        }
        builder.set(Options.SECURE, listener.isSecure());
        String httpConnectorName = configuration.server().getHttpConnectorName();
        if (listener.isSecure()) {
            httpHandler = new MarkSecureHandler(httpHandler);
            httpConnectorName = configuration.server().getHttpSecureConnectorName();
        }
        if (listener.isResolvePeerAddress()) {
            httpHandler = new PeerNameResolvingHandler(httpHandler);
        }
        if (listener.isProxyAddressForwarding() || configuration.server().checkForwardedHeaders().booleanValue()) {
            httpHandler = new ProxyPeerAddressHandler(httpHandler);
        }
        HttpHandler rootHttpOptionsHandler = new RootHttpOptionsHandler(httpHandler, listener.getDisallowedMethods());
        if (listener.getDisallowedMethods().size() > 0) {
            HashSet hashSet = new HashSet();
            Stream<R> map = listener.getDisallowedMethods().stream().map(HttpString::tryFromString);
            hashSet.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
            rootHttpOptionsHandler = new DisallowedMethodsHandler(rootHttpOptionsHandler, hashSet);
        }
        String sessionCookieSameSite = configuration.session().getSessionCookieSameSite();
        if (sessionCookieSameSite != null && !"unset".equalsIgnoreCase(sessionCookieSameSite)) {
            String str = null;
            if ("none".equalsIgnoreCase(sessionCookieSameSite)) {
                str = CookieSameSiteMode.NONE.toString();
            } else if ("lax".equalsIgnoreCase(sessionCookieSameSite)) {
                str = CookieSameSiteMode.LAX.toString();
            } else if ("strict".equalsIgnoreCase(sessionCookieSameSite)) {
                str = CookieSameSiteMode.STRICT.toString();
            }
            rootHttpOptionsHandler = new SameSiteCookieHandler(rootHttpOptionsHandler, str, configuration.session().getSessionCookieName());
        }
        if (listener.isCertificateForwarding()) {
            rootHttpOptionsHandler = new SSLHeaderHandler(rootHttpOptionsHandler);
        }
        builder.set(UndertowOptions.ENABLE_RFC6265_COOKIE_VALIDATION, listener.isRfc6265CookieValidation());
        builder.set(UndertowOptions.REQUIRE_HOST_HTTP11, listener.isRequireHostHttp11());
        if (listener.isEnableHttp2()) {
            if (this.http2Available) {
                if (listener instanceof Server.HttpListener) {
                    rootHttpOptionsHandler = new Http2UpgradeHandler(rootHttpOptionsHandler);
                }
                builder.set(UndertowOptions.ENABLE_HTTP2, true);
                builder.set(UndertowOptions.HTTP2_SETTINGS_ENABLE_PUSH, listener.isHttp2EnablePush());
                builder.set(UndertowOptions.HTTP2_SETTINGS_HEADER_TABLE_SIZE, listener.getHttp2HeaderTableSize());
                builder.set(UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE, listener.getHttp2InitialWindowSize());
                builder.set(UndertowOptions.HTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, listener.getHttp2MaxConcurrentStreams());
                builder.set(UndertowOptions.HTTP2_SETTINGS_MAX_FRAME_SIZE, listener.getHttp2MaxFrameSize());
                builder.set(UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE, listener.getHttp2MaxHeaderListSize());
            } else {
                LOG.warn("HTTP2 support configured for the listener, but HTTP2 support classes not available");
            }
        }
        String name = listener.getName();
        if (name == null || "".equals(name.trim())) {
            name = httpConnectorName;
        }
        builder.set(PAX_WEB_CONNECTOR_NAME, name);
        return rootHttpOptionsHandler;
    }

    private SSLContext buildSSLContext(Configuration configuration, Server.HttpsListener httpsListener, SecurityRealm securityRealm) {
        SecurityRealm.Truststore truststore;
        SecurityRealm.Keystore keystore;
        SecurityConfiguration security = configuration.security();
        if (securityRealm == null || securityRealm.getAuthentication() == null || securityRealm.getAuthentication().getTruststore() == null) {
            truststore = new SecurityRealm.Truststore();
            truststore.setPath(security.getTruststore());
            truststore.setPassword(security.getTruststorePassword());
            truststore.setType(security.getTruststoreType());
        } else {
            truststore = securityRealm.getAuthentication().getTruststore();
        }
        if (securityRealm == null || securityRealm.getIdentities() == null || securityRealm.getIdentities().getSsl() == null || securityRealm.getIdentities().getSsl().getKeystore() == null) {
            keystore = new SecurityRealm.Keystore();
            keystore.setPath(security.getSslKeystore());
            keystore.setPassword(security.getSslKeystorePassword());
            keystore.setType(security.getTruststoreType());
            keystore.setKeyPassword(security.getSslKeyPassword());
            keystore.setAlias(security.getSslKeyAlias());
        } else {
            keystore = securityRealm.getIdentities().getSsl().getKeystore();
        }
        try {
            URL loadResource = loadResource(keystore.getPath());
            String type = keystore.getType() == null ? "JKS" : keystore.getType();
            String alias = keystore.getAlias();
            KeyStore keyStore = getKeyStore(security, loadResource, type, keystore.getPassword(), security.getSslKeystoreProvider());
            if (alias != null) {
                KeyStore keyStore2 = KeyStore.getInstance(type);
                keyStore2.load(null);
                if (!keyStore.containsAlias(alias)) {
                    throw new IllegalArgumentException("Entry \"" + alias + "\" not found in keystore " + keystore.getPath());
                }
                KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(keystore.getKeyPassword().toCharArray());
                if (!keyStore.isKeyEntry(alias)) {
                    throw new IllegalArgumentException("Entry \"" + alias + "\" is not private key entry in keystore " + keystore.getPath());
                }
                keyStore2.setEntry(alias, keyStore.getEntry(alias, passwordProtection), passwordProtection);
                keyStore = keyStore2;
            }
            String sslKeyManagerFactoryAlgorithm = security.getSslKeyManagerFactoryAlgorithm();
            if (sslKeyManagerFactoryAlgorithm == null) {
                sslKeyManagerFactoryAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(sslKeyManagerFactoryAlgorithm);
            keyManagerFactory.init(keyStore, keystore.getKeyPassword() == null ? null : keystore.getKeyPassword().toCharArray());
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            TrustManager[] trustManagerArr = null;
            SecureRandom secureRandom = security.getSecureRandomAlgorithm() == null ? null : SecureRandom.getInstance(security.getSecureRandomAlgorithm());
            if (truststore.getPath() != null) {
                KeyStore keyStore3 = getKeyStore(security, loadResource(truststore.getPath()), truststore.getType() == null ? "JKS" : truststore.getType(), truststore.getPassword(), security.getTruststoreProvider());
                String trustManagerFactoryAlgorithm = security.getTrustManagerFactoryAlgorithm();
                if (trustManagerFactoryAlgorithm == null) {
                    trustManagerFactoryAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
                }
                Collection<? extends CRL> loadCRL = security.getCrlPath() == null ? null : loadCRL(security.getCrlPath());
                if (security.isValidateCerts().booleanValue()) {
                    String alias2 = keystore.getAlias();
                    if (alias2 == null) {
                        ArrayList list = Collections.list(keyStore.aliases());
                        alias2 = list.size() == 1 ? (String) list.get(0) : null;
                    }
                    Certificate certificate = alias2 == null ? null : keyStore.getCertificate(alias2);
                    if (certificate == null) {
                        throw new IllegalArgumentException("No certificate found in the keystore" + (alias2 == null ? "" : " for alias \"" + alias2 + "\""));
                    }
                    CertificateValidator certificateValidator = new CertificateValidator(keyStore3, loadCRL);
                    certificateValidator.setEnableCRLDP(security.isEnableCRLDP().booleanValue());
                    certificateValidator.setEnableOCSP(security.isEnableOCSP().booleanValue());
                    certificateValidator.setOcspResponderURL(security.getOcspResponderURL());
                    certificateValidator.validate(keyStore, certificate);
                }
                if (security.isValidatePeerCerts().booleanValue() && trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) {
                    PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore3, new X509CertSelector());
                    pKIXBuilderParameters.setRevocationEnabled(true);
                    if (loadCRL != null && !loadCRL.isEmpty()) {
                        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(loadCRL)));
                    }
                    if (security.isEnableCRLDP().booleanValue()) {
                        System.setProperty("com.sun.security.enableCRLDP", "true");
                    }
                    if (security.isEnableOCSP().booleanValue()) {
                        Security.setProperty("ocsp.enable", "true");
                        if (security.getOcspResponderURL() != null) {
                            Security.setProperty("ocsp.responderURL", security.getOcspResponderURL());
                        }
                    }
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm);
                    trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                    trustManagerArr = trustManagerFactory.getTrustManagers();
                } else {
                    TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm);
                    trustManagerFactory2.init(keyStore3);
                    trustManagerArr = trustManagerFactory2.getTrustManagers();
                }
            }
            SSLContext sSLContext = (null == security.getSslProvider() || security.getSslProvider().isEmpty()) ? SSLContext.getInstance("TLS") : SSLContext.getInstance("TLS", security.getSslProvider());
            sSLContext.init(keyManagers, trustManagerArr, secureRandom);
            sSLContext.getClientSessionContext().setSessionCacheSize(httpsListener.getSslSessionCacheSize());
            sSLContext.getClientSessionContext().setSessionTimeout(httpsListener.getSslSessionTimeout());
            sSLContext.getServerSessionContext().setSessionCacheSize(httpsListener.getSslSessionCacheSize());
            sSLContext.getServerSessionContext().setSessionTimeout(httpsListener.getSslSessionTimeout());
            return sSLContext;
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to build SSL context", e);
        }
    }

    private URL loadResource(String str) throws MalformedURLException {
        URL url;
        if (str == null || "".equals(str.trim())) {
            return null;
        }
        try {
            url = new URL(str);
        } catch (MalformedURLException e) {
            if (str.startsWith("ftp:") || str.startsWith("file:") || str.startsWith("jar:")) {
                throw e;
            }
            try {
                url = new File(str).getCanonicalFile().toURI().toURL();
            } catch (Exception e2) {
                throw e;
            }
        }
        return url;
    }

    private KeyStore getKeyStore(SecurityConfiguration securityConfiguration, URL url, String str, String str2, String str3) throws Exception {
        KeyStore keyStore = str3 == null ? KeyStore.getInstance(str) : KeyStore.getInstance(str, str3);
        if (url != null) {
            InputStream openStream = url.openStream();
            Throwable th = null;
            try {
                try {
                    keyStore.load(openStream, str2.toCharArray());
                    if (openStream != null) {
                        if (0 != 0) {
                            try {
                                openStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (openStream != null) {
                    if (th != null) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openStream.close();
                    }
                }
                throw th3;
            }
        } else {
            keyStore.load(null, str2.toCharArray());
        }
        return keyStore;
    }

    public Collection<? extends CRL> loadCRL(String str) throws Exception {
        URL loadResource;
        Collection<? extends CRL> collection = null;
        if (str != null && (loadResource = loadResource(str)) != null) {
            InputStream openStream = loadResource.openStream();
            Throwable th = null;
            try {
                try {
                    collection = CertificateFactory.getInstance("X.509").generateCRLs(openStream);
                    if (openStream != null) {
                        if (0 != 0) {
                            try {
                                openStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (openStream != null) {
                    if (th != null) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openStream.close();
                    }
                }
                throw th3;
            }
        }
        return collection;
    }

    public DeploymentInfo clearFilters(DeploymentInfo deploymentInfo, boolean z, boolean z2) {
        FilterModel filterModel;
        DeploymentInfo classIntrospecter = new DeploymentInfo().setClassLoader(deploymentInfo.getClassLoader()).setContextPath(deploymentInfo.getContextPath()).setResourceManager(deploymentInfo.getResourceManager()).setMajorVersion(deploymentInfo.getMajorVersion()).setMinorVersion(deploymentInfo.getMinorVersion()).setDeploymentName(deploymentInfo.getDeploymentName()).setClassIntrospecter(deploymentInfo.getClassIntrospecter());
        Iterator it = deploymentInfo.getServlets().entrySet().iterator();
        while (it.hasNext()) {
            classIntrospecter.addServlet(((ServletInfo) ((Map.Entry) it.next()).getValue()).clone());
        }
        HashSet hashSet = new HashSet();
        Iterator it2 = deploymentInfo.getFilters().entrySet().iterator();
        while (it2.hasNext()) {
            FilterInfo filterInfo = (FilterInfo) ((Map.Entry) it2.next()).getValue();
            if ((filterInfo instanceof PaxWebFilterInfo) && ((filterModel = ((PaxWebFilterInfo) filterInfo).getFilterModel()) == null || ((!z && filterModel.isDynamic()) || (!z2 && !filterModel.isDynamic())))) {
                classIntrospecter.addFilter(filterInfo);
                hashSet.add(filterInfo.getName());
            }
        }
        for (FilterMappingInfo filterMappingInfo : deploymentInfo.getFilterMappings()) {
            if (hashSet.contains(filterMappingInfo.getFilterName())) {
                if (filterMappingInfo.getMappingType() == FilterMappingInfo.MappingType.SERVLET) {
                    classIntrospecter.addFilterServletNameMapping(filterMappingInfo.getFilterName(), filterMappingInfo.getMapping(), filterMappingInfo.getDispatcher());
                }
                if (filterMappingInfo.getMappingType() == FilterMappingInfo.MappingType.URL) {
                    classIntrospecter.addFilterUrlMapping(filterMappingInfo.getFilterName(), filterMappingInfo.getMapping(), filterMappingInfo.getDispatcher());
                }
            }
        }
        classIntrospecter.setDisplayName(deploymentInfo.getDisplayName());
        classIntrospecter.getListeners().addAll(deploymentInfo.getListeners());
        classIntrospecter.getServletContainerInitializers().addAll(deploymentInfo.getServletContainerInitializers());
        classIntrospecter.getThreadSetupActions().addAll(deploymentInfo.getThreadSetupActions());
        classIntrospecter.getInitParameters().putAll(deploymentInfo.getInitParameters());
        classIntrospecter.getServletContextAttributes().putAll(deploymentInfo.getServletContextAttributes());
        classIntrospecter.getWelcomePages().addAll(deploymentInfo.getWelcomePages());
        classIntrospecter.getErrorPages().addAll(deploymentInfo.getErrorPages());
        classIntrospecter.getMimeMappings().addAll(deploymentInfo.getMimeMappings());
        classIntrospecter.setExecutor(deploymentInfo.getExecutor());
        classIntrospecter.setAsyncExecutor(deploymentInfo.getAsyncExecutor());
        classIntrospecter.setTempDir(deploymentInfo.getTempDir());
        classIntrospecter.setJspConfigDescriptor(deploymentInfo.getJspConfigDescriptor());
        classIntrospecter.setDefaultServletConfig(deploymentInfo.getDefaultServletConfig());
        classIntrospecter.getLocaleCharsetMapping().putAll(deploymentInfo.getLocaleCharsetMapping());
        classIntrospecter.setSessionManagerFactory(deploymentInfo.getSessionManagerFactory());
        if (deploymentInfo.getLoginConfig() != null) {
            classIntrospecter.setLoginConfig(deploymentInfo.getLoginConfig().clone());
        }
        classIntrospecter.setIdentityManager(deploymentInfo.getIdentityManager());
        classIntrospecter.setConfidentialPortManager(deploymentInfo.getConfidentialPortManager());
        classIntrospecter.setDefaultEncoding(deploymentInfo.getDefaultEncoding());
        classIntrospecter.setUrlEncoding(deploymentInfo.getUrlEncoding());
        classIntrospecter.getSecurityConstraints().addAll(deploymentInfo.getSecurityConstraints());
        classIntrospecter.getOuterHandlerChainWrappers().addAll(deploymentInfo.getOuterHandlerChainWrappers());
        classIntrospecter.getInnerHandlerChainWrappers().addAll(deploymentInfo.getInnerHandlerChainWrappers());
        classIntrospecter.setInitialSecurityWrapper(deploymentInfo.getInitialSecurityWrapper());
        classIntrospecter.getSecurityWrappers().addAll(deploymentInfo.getSecurityWrappers());
        classIntrospecter.getInitialHandlerChainWrappers().addAll(deploymentInfo.getInitialHandlerChainWrappers());
        classIntrospecter.getSecurityRoles().addAll(deploymentInfo.getSecurityRoles());
        classIntrospecter.getNotificationReceivers().addAll(deploymentInfo.getNotificationReceivers());
        classIntrospecter.setAllowNonStandardWrappers(deploymentInfo.isAllowNonStandardWrappers());
        classIntrospecter.setDefaultSessionTimeout(deploymentInfo.getDefaultSessionTimeout());
        classIntrospecter.setServletContextAttributeBackingMap(deploymentInfo.getServletContextAttributeBackingMap());
        classIntrospecter.setServletSessionConfig(deploymentInfo.getServletSessionConfig());
        classIntrospecter.setHostName(deploymentInfo.getHostName());
        classIntrospecter.setDenyUncoveredHttpMethods(deploymentInfo.isDenyUncoveredHttpMethods());
        classIntrospecter.setServletStackTraces(deploymentInfo.getServletStackTraces());
        classIntrospecter.setInvalidateSessionOnLogout(deploymentInfo.isInvalidateSessionOnLogout());
        classIntrospecter.setDefaultCookieVersion(deploymentInfo.getDefaultCookieVersion());
        classIntrospecter.setSessionPersistenceManager(deploymentInfo.getSessionPersistenceManager());
        for (Map.Entry entry : deploymentInfo.getPrincipalVersusRolesMap().entrySet()) {
            classIntrospecter.getPrincipalVersusRolesMap().put(entry.getKey(), new HashSet((Collection) entry.getValue()));
        }
        classIntrospecter.setIgnoreFlush(deploymentInfo.isIgnoreFlush());
        classIntrospecter.setAuthorizationManager(deploymentInfo.getAuthorizationManager());
        classIntrospecter.getAuthenticationMechanisms().putAll(deploymentInfo.getAuthenticationMechanisms());
        classIntrospecter.getServletExtensions().addAll(deploymentInfo.getServletExtensions());
        classIntrospecter.setJaspiAuthenticationMechanism(deploymentInfo.getJaspiAuthenticationMechanism());
        classIntrospecter.setSecurityContextFactory(deploymentInfo.getSecurityContextFactory());
        classIntrospecter.setServerName(deploymentInfo.getServerName());
        classIntrospecter.setMetricsCollector(deploymentInfo.getMetricsCollector());
        classIntrospecter.setSessionConfigWrapper(deploymentInfo.getSessionConfigWrapper());
        classIntrospecter.setEagerFilterInit(deploymentInfo.isEagerFilterInit());
        classIntrospecter.setDisableCachingForSecuredPages(deploymentInfo.isDisableCachingForSecuredPages());
        classIntrospecter.setExceptionHandler(deploymentInfo.getExceptionHandler());
        classIntrospecter.setEscapeErrorMessage(deploymentInfo.isEscapeErrorMessage());
        classIntrospecter.getSessionListeners().addAll(deploymentInfo.getSessionListeners());
        classIntrospecter.getLifecycleInterceptors().addAll(deploymentInfo.getLifecycleInterceptors());
        classIntrospecter.setAuthenticationMode(deploymentInfo.getAuthenticationMode());
        classIntrospecter.setDefaultMultipartConfig(deploymentInfo.getDefaultMultipartConfig());
        classIntrospecter.setContentTypeCacheSize(deploymentInfo.getContentTypeCacheSize());
        classIntrospecter.setSessionIdGenerator(deploymentInfo.getSessionIdGenerator());
        classIntrospecter.setSendCustomReasonPhraseOnError(deploymentInfo.isSendCustomReasonPhraseOnError());
        classIntrospecter.setChangeSessionIdOnLogin(deploymentInfo.isChangeSessionIdOnLogin());
        classIntrospecter.setCrawlerSessionManagerConfig(deploymentInfo.getCrawlerSessionManagerConfig());
        classIntrospecter.setSecurityDisabled(deploymentInfo.isSecurityDisabled());
        classIntrospecter.setUseCachedAuthenticationMechanism(deploymentInfo.isUseCachedAuthenticationMechanism());
        classIntrospecter.setCheckOtherSessionManagers(deploymentInfo.isCheckOtherSessionManagers());
        classIntrospecter.setDefaultRequestEncoding(deploymentInfo.getDefaultRequestEncoding());
        classIntrospecter.setDefaultResponseEncoding(deploymentInfo.getDefaultResponseEncoding());
        classIntrospecter.getPreCompressedResources().putAll(deploymentInfo.getPreCompressedResources());
        classIntrospecter.setContainerMajorVersion(deploymentInfo.getContainerMajorVersion());
        classIntrospecter.setContainerMinorVersion(deploymentInfo.getContainerMinorVersion());
        classIntrospecter.getDeploymentCompleteListeners().addAll(deploymentInfo.getDeploymentCompleteListeners());
        classIntrospecter.setPreservePathOnForward(deploymentInfo.isPreservePathOnForward());
        return classIntrospecter;
    }
}
