package sirius.web.http;

import io.netty.channel.ChannelHandler;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.ssl.SslHandler;
import java.io.InputStream;
import java.net.Socket;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import sirius.kernel.di.std.ConfigValue;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sirius/web/http/SSLWebServerInitializer.class */
public class SSLWebServerInitializer extends WebServerInitializer {
    private final SSLContext context;

    @ConfigValue("http.ssl.alias")
    private static String defaultAlias;

    @ConfigValue("http.ssl.keystore")
    private static String keystore;

    @ConfigValue("http.ssl.password")
    private static String password;

    @ConfigValue("http.ssl.ephemeralDHKeySize")
    private static int ephemeralDHKeySize;

    @ConfigValue("http.ssl.protocols")
    private static List<String> protocols;

    @ConfigValue("http.ssl.ciphers")
    private static List<String> ciphers;

    /* loaded from: input_file:sirius/web/http/SSLWebServerInitializer$SniKeyManager.class */
    static class SniKeyManager extends X509ExtendedKeyManager {
        private final X509ExtendedKeyManager keyManager;

        SniKeyManager(X509ExtendedKeyManager x509ExtendedKeyManager) {
            this.keyManager = x509ExtendedKeyManager;
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getClientAliases(String str, Principal[] principalArr) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getServerAliases(String str, Principal[] principalArr) {
            return this.keyManager.getServerAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
            String str2 = null;
            Iterator<SNIServerName> it = ((ExtendedSSLSession) sSLEngine.getHandshakeSession()).getRequestedServerNames().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SNIServerName next = it.next();
                if (next.getType() == 0) {
                    str2 = ((SNIHostName) next).getAsciiName();
                    break;
                }
            }
            return (str2 == null || getCertificateChain(str2) == null || getPrivateKey(str2) == null) ? SSLWebServerInitializer.defaultAlias : str2;
        }

        @Override // javax.net.ssl.X509KeyManager
        public X509Certificate[] getCertificateChain(String str) {
            return this.keyManager.getCertificateChain(str);
        }

        @Override // javax.net.ssl.X509KeyManager
        public PrivateKey getPrivateKey(String str) {
            return this.keyManager.getPrivateKey(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLWebServerInitializer() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        InputStream newInputStream = Files.newInputStream(Paths.get(keystore, new String[0]), new OpenOption[0]);
        Throwable th = null;
        try {
            try {
                keyStore.load(newInputStream, password.toCharArray());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, password.toCharArray());
                X509ExtendedKeyManager x509ExtendedKeyManager = null;
                for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                    if (keyManager instanceof X509ExtendedKeyManager) {
                        x509ExtendedKeyManager = (X509ExtendedKeyManager) keyManager;
                    }
                }
                if (x509ExtendedKeyManager == null) {
                    throw new Exception("KeyManagerFactory did not create an X509ExtendedKeyManager");
                }
                System.setProperty("jdk.tls.ephemeralDHKeySize", String.valueOf(ephemeralDHKeySize));
                SniKeyManager sniKeyManager = new SniKeyManager(x509ExtendedKeyManager);
                this.context = SSLContext.getInstance("TLS");
                this.context.init(new KeyManager[]{sniKeyManager}, null, null);
            } finally {
            }
        } catch (Throwable th3) {
            if (newInputStream != null) {
                if (th != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newInputStream.close();
                }
            }
            throw th3;
        }
    }

    @Override // sirius.web.http.WebServerInitializer
    protected boolean isSSL() {
        return true;
    }

    @Override // sirius.web.http.WebServerInitializer
    public void initChannel(SocketChannel socketChannel) throws Exception {
        SSLEngine createSSLEngine = this.context.createSSLEngine();
        createSSLEngine.setUseClientMode(false);
        if (!ciphers.isEmpty()) {
            createSSLEngine.setEnabledCipherSuites((String[]) ciphers.toArray(new String[ciphers.size()]));
        }
        if (!protocols.isEmpty()) {
            createSSLEngine.setEnabledProtocols((String[]) protocols.toArray(new String[protocols.size()]));
        }
        socketChannel.pipeline().addFirst(new ChannelHandler[]{new SslHandler(createSSLEngine)});
        super.initChannel(socketChannel);
    }
}
