package org.eclipse.jetty.server;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLSession;
import org.eclipse.jetty.http.BadMessageException;
import org.eclipse.jetty.http.HttpField;
import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.PreEncodedHttpField;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.util.Attributes;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.ssl.X509;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer.class */
public class SecureRequestCustomizer implements HttpConfiguration.Customizer {
    public static final String X509_ATTRIBUTE = "org.eclipse.jetty.server.x509";
    private static final Logger LOG = LoggerFactory.getLogger(SecureRequestCustomizer.class);
    private boolean _sniRequired;
    private boolean _sniHostCheck;
    private long _stsMaxAge;
    private boolean _stsIncludeSubDomains;
    private HttpField _stsField;

    /* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer$SecureRequest.class */
    protected static class SecureRequest extends Request.Wrapper {
        public SecureRequest(Request request) {
            super(request);
        }

        @Override // org.eclipse.jetty.server.Request.Wrapper, org.eclipse.jetty.server.Request
        public boolean isSecure() {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/eclipse/jetty/server/SecureRequestCustomizer$SecureRequestWithSslSessionData.class */
    public class SecureRequestWithSslSessionData extends Request.AttributesWrapper {
        private static final Set<String> ATTRIBUTES = Set.of(EndPoint.SslSessionData.ATTRIBUTE, SecureRequestCustomizer.X509_ATTRIBUTE);

        protected SecureRequestWithSslSessionData(Request request, final EndPoint.SslSessionData sslSessionData) {
            super(request, new Attributes.Synthetic(request) { // from class: org.eclipse.jetty.server.SecureRequestCustomizer.SecureRequestWithSslSessionData.1
                @Override // org.eclipse.jetty.util.Attributes.Synthetic
                protected Object getSyntheticAttribute(String str) {
                    boolean z = -1;
                    switch (str.hashCode()) {
                        case -491738618:
                            if (str.equals(EndPoint.SslSessionData.ATTRIBUTE)) {
                                z = false;
                                break;
                            }
                            break;
                        case 178256848:
                            if (str.equals(SecureRequestCustomizer.X509_ATTRIBUTE)) {
                                z = true;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            return sslSessionData;
                        case true:
                            return r5.getX509(sslSessionData.sslSession());
                        default:
                            return null;
                    }
                }

                @Override // org.eclipse.jetty.util.Attributes.Synthetic
                protected Set<String> getSyntheticNameSet() {
                    return SecureRequestWithSslSessionData.ATTRIBUTES;
                }
            });
        }

        @Override // org.eclipse.jetty.server.Request.Wrapper, org.eclipse.jetty.server.Request
        public boolean isSecure() {
            return true;
        }
    }

    public SecureRequestCustomizer() {
        this(true);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z) {
        this(z, -1L, false);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z2) {
        this(false, z, j, z2);
    }

    public SecureRequestCustomizer(@Name("sniRequired") boolean z, @Name("sniHostCheck") boolean z2, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z3) {
        this._sniRequired = z;
        this._sniHostCheck = z2;
        this._stsMaxAge = j;
        this._stsIncludeSubDomains = z3;
        formatSTS();
    }

    public boolean isSniHostCheck() {
        return this._sniHostCheck;
    }

    public void setSniHostCheck(boolean z) {
        this._sniHostCheck = z;
    }

    public boolean isSniRequired() {
        return this._sniRequired;
    }

    public void setSniRequired(boolean z) {
        this._sniRequired = z;
    }

    public long getStsMaxAge() {
        return this._stsMaxAge;
    }

    public void setStsMaxAge(long j) {
        setStsMaxAge(j, TimeUnit.SECONDS);
    }

    public void setStsMaxAge(long j, TimeUnit timeUnit) {
        this._stsMaxAge = timeUnit.toSeconds(j);
        formatSTS();
    }

    public boolean isStsIncludeSubDomains() {
        return this._stsIncludeSubDomains;
    }

    public void setStsIncludeSubDomains(boolean z) {
        this._stsIncludeSubDomains = z;
        formatSTS();
    }

    private void formatSTS() {
        long stsMaxAge = getStsMaxAge();
        if (stsMaxAge < 0) {
            this._stsField = null;
            return;
        }
        HttpHeader httpHeader = HttpHeader.STRICT_TRANSPORT_SECURITY;
        Object[] objArr = new Object[2];
        objArr[0] = Long.valueOf(stsMaxAge);
        objArr[1] = isStsIncludeSubDomains() ? "; includeSubDomains" : "";
        this._stsField = new PreEncodedHttpField(httpHeader, String.format("max-age=%d%s", objArr));
    }

    @Override // org.eclipse.jetty.server.HttpConfiguration.Customizer
    public Request customize(Request request, HttpFields.Mutable mutable) {
        EndPoint endPoint = request.getConnectionMetaData().getConnection().getEndPoint();
        EndPoint.SslSessionData sslSessionData = endPoint != null ? endPoint.getSslSessionData() : null;
        if (sslSessionData != null) {
            request = newSecureRequest(request, sslSessionData);
        }
        if (this._stsField != null) {
            mutable.add(this._stsField);
        }
        return request;
    }

    protected Request newSecureRequest(Request request, EndPoint.SslSessionData sslSessionData) {
        if (sslSessionData.sslSession() != null) {
            checkSni(request, sslSessionData.sslSession());
        }
        return new SecureRequestWithSslSessionData(request, sslSessionData);
    }

    protected void checkSni(Request request, SSLSession sSLSession) {
        if (isSniRequired() || isSniHostCheck()) {
            String retrieveSni = retrieveSni(request, sSLSession);
            X509 x509 = getX509(sSLSession);
            if (x509 == null) {
                throw new BadMessageException(HttpStatus.BAD_REQUEST_400, "Invalid SNI");
            }
            String serverName = Request.getServerName(request);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Host={}, SNI={}, SNI Certificate={}", new Object[]{serverName, retrieveSni, x509});
            }
            if (isSniRequired() && (retrieveSni == null || !x509.matches(retrieveSni))) {
                throw new BadMessageException(HttpStatus.BAD_REQUEST_400, "Invalid SNI");
            }
            if (isSniHostCheck() && !x509.matches(serverName)) {
                throw new BadMessageException(HttpStatus.BAD_REQUEST_400, "Invalid SNI");
            }
        }
    }

    protected String retrieveSni(Request request, SSLSession sSLSession) {
        String str = (String) sSLSession.getValue(SslContextFactory.Server.SNI_HOST);
        if (str != null) {
            return str;
        }
        if (!(sSLSession instanceof ExtendedSSLSession)) {
            return null;
        }
        for (SNIServerName sNIServerName : getRequestedServerNames((ExtendedSSLSession) sSLSession)) {
            if (sNIServerName instanceof SNIHostName) {
                return ((SNIHostName) sNIServerName).getAsciiName();
            }
        }
        return null;
    }

    private List<SNIServerName> getRequestedServerNames(ExtendedSSLSession extendedSSLSession) {
        try {
            return extendedSSLSession.getRequestedServerNames();
        } catch (Throwable th) {
            return List.of();
        }
    }

    private X509 getX509(SSLSession sSLSession) {
        X509 x509 = (X509) sSLSession.getValue(X509_ATTRIBUTE);
        if (x509 == null) {
            Certificate[] localCertificates = sSLSession.getLocalCertificates();
            if (localCertificates == null || localCertificates.length == 0 || !(localCertificates[0] instanceof X509Certificate)) {
                return null;
            }
            x509 = new X509(null, (X509Certificate) localCertificates[0]);
            sSLSession.putValue(X509_ATTRIBUTE, x509);
        }
        return x509;
    }

    public String toString() {
        return String.format("%s@%x", getClass().getSimpleName(), Integer.valueOf(hashCode()));
    }
}
