package org.apache.tomcat.util.net.openssl.panama;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.lang.foreign.Arena;
import java.lang.foreign.MemorySegment;
import java.lang.foreign.ValueLayout;
import java.lang.ref.Cleaner;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.file.ConfigurationSource;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
import org.apache.tomcat.util.net.openssl.OpenSSLConf;
import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd;
import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.net.openssl.panama.OpenSSLEngine;
import org.apache.tomcat.util.openssl.SSL_CTX_set_alpn_select_cb$cb;
import org.apache.tomcat.util.openssl.SSL_CTX_set_cert_verify_callback$cb;
import org.apache.tomcat.util.openssl.SSL_CTX_set_tmp_dh_callback$dh;
import org.apache.tomcat.util.openssl.SSL_CTX_set_verify$callback;
import org.apache.tomcat.util.openssl.openssl_h;
import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
import org.apache.tomcat.util.openssl.openssl_h_Macros;
import org.apache.tomcat.util.openssl.pem_password_cb;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.class */
public class OpenSSLContext implements SSLContext {
    private static final int OPENSSL_ERROR_MESSAGE_BUFFER_SIZE = 256;
    private static final String defaultProtocol = "TLS";
    private static final int SSL_AIDX_RSA = 0;
    private static final int SSL_AIDX_DSA = 1;
    private static final int SSL_AIDX_ECC = 3;
    private static final int SSL_AIDX_MAX = 4;
    public static final int SSL_PROTOCOL_NONE = 0;
    public static final int SSL_PROTOCOL_SSLV2 = 1;
    public static final int SSL_PROTOCOL_SSLV3 = 2;
    public static final int SSL_PROTOCOL_TLSV1 = 4;
    public static final int SSL_PROTOCOL_TLSV1_1 = 8;
    public static final int SSL_PROTOCOL_TLSV1_2 = 16;
    public static final int SSL_PROTOCOL_TLSV1_3 = 32;
    public static final int SSL_PROTOCOL_ALL = 60;
    static final int OPTIONAL_NO_CA = 3;
    private static final String BEGIN_KEY = "-----BEGIN PRIVATE KEY-----\n";
    static final CertificateFactory X509_CERT_FACTORY;
    static final boolean OPENSSL_3;
    private final SSLHostConfig sslHostConfig;
    private final SSLHostConfigCertificate certificate;
    private final boolean alpn;
    private final int minTlsVersion;
    private final int maxTlsVersion;
    private final List<byte[]> negotiableProtocols;
    private OpenSSLSessionContext sessionContext;
    private String enabledProtocol;
    private boolean initialized = false;
    private boolean noOcspCheck = false;
    private X509TrustManager x509TrustManager;
    private final ContextState state;
    private final Arena contextArena;
    private final Cleaner.Cleanable cleanable;
    private static final int NID_kx_rsa = 1037;
    private static final int SSL_kDHr = 2;
    private static final int SSL_kDHd = 4;
    private static final int SSL_kEDH = 8;
    private static final int SSL_kDHE = 8;
    private static final int SSL_kKRB5 = 10;
    private static final int SSL_kECDHr = 20;
    private static final int SSL_kECDHe = 40;
    private static final int SSL_kEECDH = 80;
    private static final int SSL_kECDHE = 80;
    private static final int SSL_aRSA = 1;
    private static final int SSL_aDSS = 2;
    private static final int SSL_aNULL = 4;
    private static final int SSL_aECDSA = 40;
    private static final String SSL_TXT_RSA = "RSA";
    private static final String SSL_TXT_DH = "DH";
    private static final String SSL_TXT_DSS = "DSS";
    private static final String SSL_TXT_KRB5 = "KRB5";
    private static final String SSL_TXT_ECDH = "ECDH";
    private static final String SSL_TXT_ECDSA = "ECDSA";
    private static final Log log = LogFactory.getLog((Class<?>) OpenSSLContext.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) OpenSSLContext.class);
    private static final Cleaner cleaner = Cleaner.create();
    private static final Object END_KEY = "\n-----END PRIVATE KEY-----";
    private static final byte[] HTTP_11_PROTOCOL = {104, 116, 116, 112, 47, 49, 46, 49};
    private static final byte[] DEFAULT_SESSION_ID_CONTEXT = {100, 101, 102, 97, 117, 108, 116};

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext$ALPNSelectCallback.class */
    private static class ALPNSelectCallback implements SSL_CTX_set_alpn_select_cb$cb.Function {
        private final List<byte[]> negotiableProtocols;

        ALPNSelectCallback(List<byte[]> list) {
            this.negotiableProtocols = list;
        }

        @Override // org.apache.tomcat.util.openssl.SSL_CTX_set_alpn_select_cb$cb.Function
        public int apply(MemorySegment memorySegment, MemorySegment memorySegment2, MemorySegment memorySegment3, MemorySegment memorySegment4, int i, MemorySegment memorySegment5) {
            Arena ofConfined = Arena.ofConfined();
            try {
                MemorySegment reinterpret = memorySegment4.reinterpret(i, ofConfined, (Consumer) null);
                byte[] array = reinterpret.toArray(ValueLayout.JAVA_BYTE);
                for (byte[] bArr : this.negotiableProtocols) {
                    for (int i2 = 0; i2 <= array.length - bArr.length; i2++) {
                        if (array[i2] == bArr[0]) {
                            for (int i3 = 0; i3 < bArr.length && array[i2 + i3] == bArr[i3]; i3++) {
                                if (i3 == bArr.length - 1) {
                                    memorySegment2.reinterpret(ValueLayout.ADDRESS.byteSize(), ofConfined, (Consumer) null).set(ValueLayout.ADDRESS, 0L, reinterpret.asSlice(i2));
                                    memorySegment3.reinterpret(ValueLayout.JAVA_BYTE.byteSize(), ofConfined, (Consumer) null).set(ValueLayout.JAVA_BYTE, 0L, (byte) bArr.length);
                                    int SSL_TLSEXT_ERR_OK = openssl_h.SSL_TLSEXT_ERR_OK();
                                    if (ofConfined != null) {
                                        ofConfined.close();
                                    }
                                    return SSL_TLSEXT_ERR_OK;
                                }
                            }
                        }
                    }
                }
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return openssl_h.SSL_TLSEXT_ERR_NOACK();
            } catch (Throwable th) {
                if (ofConfined != null) {
                    try {
                        ofConfined.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext$CertVerifyCallback.class */
    private static class CertVerifyCallback implements SSL_CTX_set_cert_verify_callback$cb.Function {
        private final X509TrustManager x509TrustManager;

        CertVerifyCallback(X509TrustManager x509TrustManager) {
            this.x509TrustManager = x509TrustManager;
        }

        /* JADX WARN: Type inference failed for: r0v11, types: [byte[], byte[][]] */
        @Override // org.apache.tomcat.util.openssl.SSL_CTX_set_cert_verify_callback$cb.Function
        public int apply(MemorySegment memorySegment, MemorySegment memorySegment2) {
            if (OpenSSLContext.log.isTraceEnabled()) {
                OpenSSLContext.log.trace("Certificate verification");
            }
            if (MemorySegment.NULL.equals(memorySegment2)) {
                return 0;
            }
            MemorySegment X509_STORE_CTX_get_ex_data = openssl_h.X509_STORE_CTX_get_ex_data(memorySegment, openssl_h.SSL_get_ex_data_X509_STORE_CTX_idx());
            MemorySegment X509_STORE_CTX_get0_untrusted = openssl_h.X509_STORE_CTX_get0_untrusted(memorySegment);
            int OPENSSL_sk_num = openssl_h.OPENSSL_sk_num(X509_STORE_CTX_get0_untrusted);
            ?? r0 = new byte[OPENSSL_sk_num];
            Arena ofConfined = Arena.ofConfined();
            for (int i = 0; i < OPENSSL_sk_num; i++) {
                try {
                    MemorySegment OPENSSL_sk_value = openssl_h.OPENSSL_sk_value(X509_STORE_CTX_get0_untrusted, i);
                    MemorySegment allocateFrom = ofConfined.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
                    int i2d_X509 = openssl_h.i2d_X509(OPENSSL_sk_value, allocateFrom);
                    if (i2d_X509 < 0) {
                        r0[i] = new byte[0];
                    } else {
                        MemorySegment memorySegment3 = allocateFrom.get(ValueLayout.ADDRESS, 0L);
                        r0[i] = memorySegment3.reinterpret(i2d_X509, ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
                        openssl_h_Macros.OPENSSL_free(memorySegment3);
                    }
                } catch (Throwable th) {
                    if (ofConfined != null) {
                        try {
                            ofConfined.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            MemorySegment SSL_get_current_cipher = openssl_h.SSL_get_current_cipher(X509_STORE_CTX_get_ex_data);
            try {
                this.x509TrustManager.checkClientTrusted(OpenSSLContext.certificates(r0), MemorySegment.NULL.equals(SSL_get_current_cipher) ? "UNKNOWN" : OpenSSLContext.getCipherAuthenticationMethod(openssl_h.SSL_CIPHER_get_auth_nid(SSL_get_current_cipher), openssl_h.SSL_CIPHER_get_kx_nid(SSL_get_current_cipher)));
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return 1;
            } catch (Exception e) {
                OpenSSLContext.log.debug(OpenSSLContext.sm.getString("openssl.certificateVerificationFailed"), e);
                if (ofConfined == null) {
                    return 0;
                }
                ofConfined.close();
                return 0;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext$ContextState.class */
    public static class ContextState implements Runnable {
        private final Arena stateArena = Arena.ofShared();
        private final MemorySegment sslCtx;
        private final MemorySegment confCtx;

        private ContextState(MemorySegment memorySegment, MemorySegment memorySegment2) {
            this.sslCtx = memorySegment.reinterpret(ValueLayout.ADDRESS.byteSize(), this.stateArena, memorySegment3 -> {
                openssl_h.SSL_CTX_free(memorySegment3);
            });
            if (MemorySegment.NULL.equals(memorySegment2)) {
                this.confCtx = null;
            } else {
                this.confCtx = memorySegment2.reinterpret(ValueLayout.ADDRESS.byteSize(), this.stateArena, memorySegment4 -> {
                    openssl_h.SSL_CONF_CTX_free(memorySegment4);
                });
            }
        }

        @Override // java.lang.Runnable
        public void run() {
            this.stateArena.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext$PasswordCallback.class */
    public static class PasswordCallback implements pem_password_cb.Function {
        private final String callbackPassword;

        PasswordCallback(String str) {
            this.callbackPassword = str;
        }

        @Override // org.apache.tomcat.util.openssl.pem_password_cb.Function
        public int apply(MemorySegment memorySegment, int i, int i2, MemorySegment memorySegment2) {
            if (OpenSSLContext.log.isTraceEnabled()) {
                OpenSSLContext.log.trace("Return password for certificate");
            }
            if (this.callbackPassword == null || this.callbackPassword.length() <= 0) {
                return 0;
            }
            Arena ofConfined = Arena.ofConfined();
            try {
                MemorySegment allocateFrom = ofConfined.allocateFrom(this.callbackPassword);
                if (allocateFrom.byteSize() > i) {
                    OpenSSLContext.log.error(OpenSSLContext.sm.getString("openssl.passwordTooLong"));
                    if (ofConfined == null) {
                        return 0;
                    }
                    ofConfined.close();
                    return 0;
                }
                memorySegment.reinterpret(i, ofConfined, (Consumer) null).copyFrom(allocateFrom);
                int byteSize = (int) allocateFrom.byteSize();
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return byteSize;
            } catch (Throwable th) {
                if (ofConfined != null) {
                    try {
                        ofConfined.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLContext$TmpDHCallback.class */
    public static class TmpDHCallback implements SSL_CTX_set_tmp_dh_callback$dh.Function {
        private TmpDHCallback() {
        }

        @Override // org.apache.tomcat.util.openssl.SSL_CTX_set_tmp_dh_callback$dh.Function
        public MemorySegment apply(MemorySegment memorySegment, int i, int i2) {
            MemorySegment SSL_get_privatekey = openssl_h.SSL_get_privatekey(memorySegment);
            int EVP_PKEY_NONE = MemorySegment.NULL.equals(SSL_get_privatekey) ? openssl_h.EVP_PKEY_NONE() : openssl_h_Compatibility.EVP_PKEY_base_id(SSL_get_privatekey);
            int EVP_PKEY_bits = (EVP_PKEY_NONE == openssl_h.EVP_PKEY_RSA() || EVP_PKEY_NONE == openssl_h.EVP_PKEY_DSA()) ? openssl_h_Compatibility.EVP_PKEY_bits(SSL_get_privatekey) : 0;
            for (int i3 = 0; i3 < OpenSSLLibrary.dhParameters.length; i3++) {
                if (OpenSSLLibrary.dhParameters[i3] != null && EVP_PKEY_bits >= OpenSSLLibrary.dhParameters[i3].min) {
                    return OpenSSLLibrary.dhParameters[i3].dh;
                }
            }
            return MemorySegment.NULL;
        }
    }

    private static String[] getCiphers(MemorySegment memorySegment) {
        MemorySegment SSL_CTX_get_ciphers = openssl_h.SSL_CTX_get_ciphers(memorySegment);
        int OPENSSL_sk_num = openssl_h.OPENSSL_sk_num(SSL_CTX_get_ciphers);
        if (OPENSSL_sk_num <= 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList(OPENSSL_sk_num);
        for (int i = 0; i < OPENSSL_sk_num; i++) {
            arrayList.add(openssl_h.SSL_CIPHER_get_name(openssl_h.OPENSSL_sk_value(SSL_CTX_get_ciphers, i)).getString(0L));
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public OpenSSLContext(SSLHostConfigCertificate sSLHostConfigCertificate, List<String> list) throws SSLException {
        if (!OpenSSLStatus.isInitialized()) {
            try {
                OpenSSLLibrary.init();
            } catch (Exception e) {
                throw new SSLException(e);
            }
        }
        this.sslHostConfig = sSLHostConfigCertificate.getSSLHostConfig();
        this.certificate = sSLHostConfigCertificate;
        this.contextArena = Arena.ofAuto();
        MemorySegment memorySegment = MemorySegment.NULL;
        MemorySegment memorySegment2 = MemorySegment.NULL;
        ArrayList arrayList = null;
        try {
            try {
                if (this.sslHostConfig.getOpenSslConf() != null) {
                    if (log.isTraceEnabled()) {
                        log.trace(sm.getString("openssl.makeConf"));
                    }
                    memorySegment2 = openssl_h.SSL_CONF_CTX_new();
                    if (MemorySegment.NULL.equals(memorySegment2)) {
                        throw new SSLException(sm.getString("openssl.errMakeConf", getLastError()));
                    }
                    openssl_h.SSL_CONF_CTX_set_flags(memorySegment2, openssl_h.SSL_CONF_FLAG_FILE() | openssl_h.SSL_CONF_FLAG_SERVER() | openssl_h.SSL_CONF_FLAG_CERTIFICATE() | openssl_h.SSL_CONF_FLAG_SHOW_ERRORS());
                }
                MemorySegment SSL_CTX_new = openssl_h.SSL_CTX_new(openssl_h.TLS_server_method());
                boolean z = false;
                String[] enabledProtocols = this.sslHostConfig.getEnabledProtocols();
                int length = enabledProtocols.length;
                int i = 0;
                while (i < length) {
                    String str = enabledProtocols[i];
                    if (!Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(str)) {
                        if ("SSLv2".equalsIgnoreCase(str)) {
                            z |= true;
                        } else if (Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(str)) {
                            z = ((z ? 1 : 0) | 2) == true ? 1 : 0;
                        } else if (Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(str)) {
                            z = ((z ? 1 : 0) | 4) == true ? 1 : 0;
                        } else if (Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(str)) {
                            z = ((z ? 1 : 0) | 8) == true ? 1 : 0;
                        } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(str)) {
                            z = ((z ? 1 : 0) | 16) == true ? 1 : 0;
                        } else if (Constants.SSL_PROTO_TLSv1_3.equalsIgnoreCase(str)) {
                            z = ((z ? 1 : 0) | 32) == true ? 1 : 0;
                        } else {
                            if (!Constants.SSL_PROTO_ALL.equalsIgnoreCase(str)) {
                                throw new Exception(sm.getString("openssl.invalidSslProtocol", str));
                            }
                            z = ((z ? 1 : 0) | 60) == true ? 1 : 0;
                        }
                    }
                    i++;
                    z = z;
                }
                int SSL2_VERSION = openssl_h.SSL2_VERSION();
                if (((z ? 1 : 0) & 32) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_3_VERSION();
                } else if (((z ? 1 : 0) & 16) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_2_VERSION();
                } else if (((z ? 1 : 0) & 8) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_1_VERSION();
                } else if (((z ? 1 : 0) & 4) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_VERSION();
                } else if (((z ? 1 : 0) & 2) > 0) {
                    SSL2_VERSION = openssl_h.SSL3_VERSION();
                }
                this.maxTlsVersion = SSL2_VERSION;
                openssl_h_Macros.SSL_CTX_set_max_proto_version(SSL_CTX_new, SSL2_VERSION);
                if (SSL2_VERSION == openssl_h.TLS1_3_VERSION() && ((z ? 1 : 0) & 16) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_2_VERSION();
                }
                if (SSL2_VERSION == openssl_h.TLS1_2_VERSION() && ((z ? 1 : 0) & 8) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_1_VERSION();
                }
                if (SSL2_VERSION == openssl_h.TLS1_1_VERSION() && ((z ? 1 : 0) & 4) > 0) {
                    SSL2_VERSION = openssl_h.TLS1_VERSION();
                }
                if (SSL2_VERSION == openssl_h.TLS1_VERSION() && ((z ? 1 : 0) & 2) > 0) {
                    SSL2_VERSION = openssl_h.SSL3_VERSION();
                }
                this.minTlsVersion = SSL2_VERSION;
                openssl_h_Macros.SSL_CTX_set_min_proto_version(SSL_CTX_new, SSL2_VERSION);
                openssl_h.SSL_CTX_set_options(SSL_CTX_new, openssl_h.SSL_OP_NO_COMPRESSION());
                openssl_h.SSL_CTX_set_options(SSL_CTX_new, openssl_h.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION());
                openssl_h.SSL_CTX_set_options(SSL_CTX_new, openssl_h.SSL_OP_SINGLE_DH_USE());
                openssl_h.SSL_CTX_set_options(SSL_CTX_new, openssl_h.SSL_OP_SINGLE_ECDH_USE());
                openssl_h_Macros.SSL_CTX_sess_set_cache_size(SSL_CTX_new, 256L);
                openssl_h_Macros.SSL_CTX_set_session_cache_mode(SSL_CTX_new, openssl_h.SSL_SESS_CACHE_OFF());
                openssl_h.SSL_CTX_set_timeout(SSL_CTX_new, 14400L);
                openssl_h.SSL_CTX_set_default_passwd_cb(SSL_CTX_new, pem_password_cb.allocate(new PasswordCallback(null), this.contextArena));
                if (list == null || list.size() <= 0) {
                    this.alpn = false;
                } else {
                    this.alpn = true;
                    arrayList = new ArrayList(list.size() + 1);
                    Iterator<String> it = list.iterator();
                    while (it.hasNext()) {
                        arrayList.add(it.next().getBytes(StandardCharsets.ISO_8859_1));
                    }
                    arrayList.add(HTTP_11_PROTOCOL);
                }
                this.negotiableProtocols = arrayList;
                this.state = new ContextState(SSL_CTX_new, memorySegment2);
                this.cleanable = cleaner.register(this, this.state);
                if (1 == 0) {
                    destroy();
                }
            } catch (Exception e2) {
                throw new SSLException(sm.getString("openssl.errorSSLCtxInit"), e2);
            }
        } catch (Throwable th) {
            this.negotiableProtocols = null;
            this.state = new ContextState(memorySegment, memorySegment2);
            this.cleanable = cleaner.register(this, this.state);
            if (0 == 0) {
                destroy();
            }
            throw th;
        }
    }

    public String getEnabledProtocol() {
        return this.enabledProtocol;
    }

    public void setEnabledProtocol(String str) {
        this.enabledProtocol = str == null ? "TLS" : str;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public void destroy() {
        this.cleanable.clean();
    }

    private boolean checkConf(OpenSSLConf openSSLConf) throws Exception {
        int i;
        boolean z = true;
        for (OpenSSLConfCmd openSSLConfCmd : openSSLConf.getCommands()) {
            String name = openSSLConfCmd.getName();
            String value = openSSLConfCmd.getValue();
            if (name == null) {
                log.error(sm.getString("opensslconf.noCommandName", value));
                z = false;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace(sm.getString("opensslconf.checkCommand", name, value));
                }
                try {
                    Arena ofConfined = Arena.ofConfined();
                    try {
                        if (name.equals("NO_OCSP_CHECK")) {
                            i = 1;
                        } else {
                            int SSL_CONF_cmd_value_type = openssl_h.SSL_CONF_cmd_value_type(this.state.confCtx, ofConfined.allocateFrom(name));
                            i = 1;
                            String lastError = getLastError();
                            if (lastError != null) {
                                log.error(sm.getString("opensslconf.checkFailed", lastError));
                                i = 0;
                            }
                            if (SSL_CONF_cmd_value_type == openssl_h.SSL_CONF_TYPE_UNKNOWN()) {
                                log.error(sm.getString("opensslconf.typeUnknown", name));
                                i = 0;
                            }
                            if (SSL_CONF_cmd_value_type == openssl_h.SSL_CONF_TYPE_FILE()) {
                                File file = new File(value);
                                if (!file.isFile() && !file.canRead()) {
                                    log.error(sm.getString("opensslconf.badFile", name, value));
                                    i = 0;
                                }
                            }
                            if (SSL_CONF_cmd_value_type == openssl_h.SSL_CONF_TYPE_DIR() && !new File(value).isDirectory()) {
                                log.error(sm.getString("opensslconf.badDirectory", name, value));
                                i = 0;
                            }
                        }
                        if (ofConfined != null) {
                            ofConfined.close();
                        }
                        if (i <= 0) {
                            log.error(sm.getString("opensslconf.failedCommand", name, value, Integer.toString(i)));
                            z = false;
                        } else if (log.isTraceEnabled()) {
                            log.trace(sm.getString("opensslconf.resultCommand", name, value, Integer.toString(i)));
                        }
                    } finally {
                    }
                } catch (Exception e) {
                    log.error(sm.getString("opensslconf.checkFailed", e.getLocalizedMessage()));
                    return false;
                }
            }
        }
        if (!z) {
            log.error(sm.getString("opensslconf.checkFailed"));
        }
        return z;
    }

    private boolean applyConf(OpenSSLConf openSSLConf) throws Exception {
        int SSL_CONF_cmd;
        boolean z = true;
        openssl_h.SSL_CONF_CTX_set_ssl_ctx(this.state.confCtx, this.state.sslCtx);
        for (OpenSSLConfCmd openSSLConfCmd : openSSLConf.getCommands()) {
            String name = openSSLConfCmd.getName();
            String value = openSSLConfCmd.getValue();
            if (name == null) {
                log.error(sm.getString("opensslconf.noCommandName", value));
                z = false;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace(sm.getString("opensslconf.applyCommand", name, value));
                }
                try {
                    Arena ofConfined = Arena.ofConfined();
                    try {
                        if (name.equals("NO_OCSP_CHECK")) {
                            this.noOcspCheck = Boolean.parseBoolean(value);
                            SSL_CONF_cmd = 1;
                        } else {
                            SSL_CONF_cmd = openssl_h.SSL_CONF_cmd(this.state.confCtx, ofConfined.allocateFrom(name), ofConfined.allocateFrom(value));
                            String lastError = getLastError();
                            if (SSL_CONF_cmd <= 0 || lastError != null) {
                                log.error(sm.getString("opensslconf.commandError", name, value, lastError));
                                SSL_CONF_cmd = 0;
                            }
                        }
                        if (ofConfined != null) {
                            ofConfined.close();
                        }
                        if (SSL_CONF_cmd <= 0) {
                            log.error(sm.getString("opensslconf.failedCommand", name, value, Integer.toString(SSL_CONF_cmd)));
                            z = false;
                        } else if (log.isTraceEnabled()) {
                            log.trace(sm.getString("opensslconf.resultCommand", name, value, Integer.toString(SSL_CONF_cmd)));
                        }
                    } finally {
                    }
                } catch (Exception e) {
                    log.error(sm.getString("opensslconf.applyFailed"));
                    return false;
                }
            }
        }
        int SSL_CONF_CTX_finish = openssl_h.SSL_CONF_CTX_finish(this.state.confCtx);
        if (SSL_CONF_CTX_finish <= 0) {
            log.error(sm.getString("opensslconf.finishFailed", Integer.toString(SSL_CONF_CTX_finish)));
            z = false;
        }
        if (!z) {
            log.error(sm.getString("opensslconf.applyFailed"));
        }
        return z;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public void init(KeyManager[] keyManagerArr, TrustManager[] trustManagerArr, SecureRandom secureRandom) {
        boolean z;
        if (this.initialized) {
            log.warn(sm.getString("openssl.doubleInit"));
            return;
        }
        try {
            Arena ofConfined = Arena.ofConfined();
            try {
                if (this.sslHostConfig.getInsecureRenegotiation()) {
                    openssl_h.SSL_CTX_set_options(this.state.sslCtx, openssl_h.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION());
                } else {
                    openssl_h.SSL_CTX_clear_options(this.state.sslCtx, openssl_h.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION());
                }
                if (this.sslHostConfig.getHonorCipherOrder()) {
                    openssl_h.SSL_CTX_set_options(this.state.sslCtx, openssl_h.SSL_OP_CIPHER_SERVER_PREFERENCE());
                } else {
                    openssl_h.SSL_CTX_clear_options(this.state.sslCtx, openssl_h.SSL_OP_CIPHER_SERVER_PREFERENCE());
                }
                if (this.sslHostConfig.getDisableCompression()) {
                    openssl_h.SSL_CTX_set_options(this.state.sslCtx, openssl_h.SSL_OP_NO_COMPRESSION());
                } else {
                    openssl_h.SSL_CTX_clear_options(this.state.sslCtx, openssl_h.SSL_OP_NO_COMPRESSION());
                }
                if (this.sslHostConfig.getDisableSessionTickets()) {
                    openssl_h.SSL_CTX_set_options(this.state.sslCtx, openssl_h.SSL_OP_NO_TICKET());
                } else {
                    openssl_h.SSL_CTX_clear_options(this.state.sslCtx, openssl_h.SSL_OP_NO_TICKET());
                }
                if (this.minTlsVersion <= openssl_h.TLS1_2_VERSION() && openssl_h.SSL_CTX_set_cipher_list(this.state.sslCtx, ofConfined.allocateFrom(this.sslHostConfig.getCiphers())) <= 0) {
                    log.warn(sm.getString("engine.failedCipherList", this.sslHostConfig.getCiphers()));
                }
                if (this.maxTlsVersion >= openssl_h.TLS1_3_VERSION() && this.sslHostConfig.getCiphers() != SSLHostConfig.DEFAULT_TLS_CIPHERS && openssl_h.SSL_CTX_set_ciphersuites(this.state.sslCtx, ofConfined.allocateFrom(this.sslHostConfig.getCiphers())) <= 0) {
                    log.warn(sm.getString("engine.failedCipherSuite", this.sslHostConfig.getCiphers()));
                }
                this.certificate.setCertificateKeyManager(org.apache.tomcat.util.net.openssl.OpenSSLUtil.chooseKeyManager(keyManagerArr, this.certificate.getCertificateFile() == null));
                z = addCertificate(this.certificate, ofConfined);
                int i = 0;
                switch (this.sslHostConfig.getCertificateVerification()) {
                    case NONE:
                        i = openssl_h.SSL_VERIFY_NONE();
                        break;
                    case OPTIONAL:
                        i = openssl_h.SSL_VERIFY_PEER();
                        break;
                    case OPTIONAL_NO_CA:
                        i = 3;
                        break;
                    case REQUIRED:
                        i = openssl_h.SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
                        break;
                }
                openssl_h.SSL_CTX_set_verify(this.state.sslCtx, i, SSL_CTX_set_verify$callback.allocate(new OpenSSLEngine.VerifyCallback(), this.contextArena));
                if (trustManagerArr != null) {
                    this.x509TrustManager = chooseTrustManager(trustManagerArr);
                    openssl_h.SSL_CTX_set_cert_verify_callback(this.state.sslCtx, SSL_CTX_set_cert_verify_callback$cb.allocate(new CertVerifyCallback(this.x509TrustManager), this.contextArena), this.state.sslCtx);
                    for (X509Certificate x509Certificate : this.x509TrustManager.getAcceptedIssuers()) {
                        MemorySegment allocateFrom = ofConfined.allocateFrom(ValueLayout.JAVA_BYTE, x509Certificate.getEncoded());
                        MemorySegment d2i_X509 = openssl_h.d2i_X509(MemorySegment.NULL, ofConfined.allocateFrom(ValueLayout.ADDRESS, allocateFrom), allocateFrom.byteSize());
                        if (MemorySegment.NULL.equals(d2i_X509)) {
                            logLastError("openssl.errorLoadingCertificate");
                        } else if (openssl_h.SSL_CTX_add_client_CA(this.state.sslCtx, d2i_X509) <= 0) {
                            logLastError("openssl.errorAddingCertificate");
                        } else if (log.isDebugEnabled()) {
                            log.debug(sm.getString("openssl.addedClientCaCert", x509Certificate.toString()));
                        }
                    }
                } else {
                    MemorySegment allocateFrom2 = this.sslHostConfig.getCaCertificateFile() != null ? ofConfined.allocateFrom(SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCaCertificateFile())) : MemorySegment.NULL;
                    MemorySegment allocateFrom3 = this.sslHostConfig.getCaCertificatePath() != null ? ofConfined.allocateFrom(SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCaCertificatePath())) : MemorySegment.NULL;
                    if (!(this.sslHostConfig.getCaCertificateFile() == null && this.sslHostConfig.getCaCertificatePath() == null) && openssl_h.SSL_CTX_load_verify_locations(this.state.sslCtx, allocateFrom2, allocateFrom3) <= 0) {
                        logLastError("openssl.errorConfiguringLocations");
                    } else {
                        MemorySegment SSL_CTX_get_client_CA_list = openssl_h.SSL_CTX_get_client_CA_list(this.state.sslCtx);
                        if (MemorySegment.NULL.equals(SSL_CTX_get_client_CA_list)) {
                            SSL_CTX_get_client_CA_list = openssl_h.SSL_load_client_CA_file(allocateFrom2);
                            if (!MemorySegment.NULL.equals(SSL_CTX_get_client_CA_list)) {
                                openssl_h.SSL_CTX_set_client_CA_list(this.state.sslCtx, SSL_CTX_get_client_CA_list);
                            }
                        } else if (MemorySegment.NULL.equals(allocateFrom2) || openssl_h.SSL_add_file_cert_subjects_to_stack(SSL_CTX_get_client_CA_list, allocateFrom2) <= 0) {
                            SSL_CTX_get_client_CA_list = MemorySegment.NULL;
                        }
                        if (MemorySegment.NULL.equals(SSL_CTX_get_client_CA_list)) {
                            log.warn(sm.getString("openssl.noCACerts"));
                        }
                    }
                }
                if (this.negotiableProtocols != null && this.negotiableProtocols.size() > 0) {
                    openssl_h.SSL_CTX_set_alpn_select_cb(this.state.sslCtx, SSL_CTX_set_alpn_select_cb$cb.allocate(new ALPNSelectCallback(this.negotiableProtocols), this.contextArena), this.state.sslCtx);
                }
                OpenSSLConf openSslConf = this.sslHostConfig.getOpenSslConf();
                if (openSslConf != null && !MemorySegment.NULL.equals(this.state.confCtx)) {
                    if (log.isTraceEnabled()) {
                        log.trace(sm.getString("openssl.checkConf"));
                    }
                    try {
                        if (!checkConf(openSslConf)) {
                            log.error(sm.getString("openssl.errCheckConf"));
                        }
                    } catch (Exception e) {
                        log.error(sm.getString("openssl.errCheckConf"), e);
                    }
                    if (log.isTraceEnabled()) {
                        log.trace(sm.getString("openssl.applyConf"));
                    }
                    try {
                        if (!applyConf(openSslConf)) {
                            log.error(sm.getString("openssl.errApplyConf"));
                        }
                    } catch (Exception e2) {
                        log.error(sm.getString("openssl.errApplyConf"), e2);
                    }
                    long SSL_CTX_get_options = openssl_h.SSL_CTX_get_options(this.state.sslCtx);
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(Constants.SSL_PROTO_SSLv2Hello);
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_TLSv1()) == 0) {
                        arrayList.add(Constants.SSL_PROTO_TLSv1);
                    }
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_TLSv1_1()) == 0) {
                        arrayList.add(Constants.SSL_PROTO_TLSv1_1);
                    }
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_TLSv1_2()) == 0) {
                        arrayList.add(Constants.SSL_PROTO_TLSv1_2);
                    }
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_TLSv1_3()) == 0) {
                        arrayList.add(Constants.SSL_PROTO_TLSv1_3);
                    }
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_SSLv2()) == 0) {
                        arrayList.add("SSLv2");
                    }
                    if ((SSL_CTX_get_options & openssl_h.SSL_OP_NO_SSLv3()) == 0) {
                        arrayList.add(Constants.SSL_PROTO_SSLv3);
                    }
                    this.sslHostConfig.setEnabledProtocols((String[]) arrayList.toArray(new String[0]));
                    this.sslHostConfig.setEnabledCiphers(getCiphers(this.state.sslCtx));
                }
                this.sessionContext = new OpenSSLSessionContext(this);
                this.sessionContext.setSessionIdContext(DEFAULT_SESSION_ID_CONTEXT);
                this.sslHostConfig.setOpenSslContext(Long.valueOf(this.state.sslCtx.address()));
                this.initialized = true;
                if (ofConfined != null) {
                    ofConfined.close();
                }
            } finally {
            }
        } catch (Exception e3) {
            log.warn(sm.getString("openssl.errorSSLCtxInit"), e3);
            z = false;
        }
        if (z) {
            return;
        }
        destroy();
    }

    public MemorySegment getSSLContext() {
        return this.state.sslCtx;
    }

    private static String getCipherAuthenticationMethod(int i, int i2) {
        switch (i2) {
            case 2:
                return "DH_RSA";
            case 4:
                return "DH_DSS";
            case 8:
                switch (i) {
                    case 1:
                        return "DHE_RSA";
                    case 2:
                        return "DHE_DSS";
                    case 3:
                    default:
                        return "UNKNOWN";
                    case 4:
                        return "DH_anon";
                }
            case 10:
                return SSL_TXT_KRB5;
            case 20:
                return "ECDH_RSA";
            case 40:
                return "ECDH_ECDSA";
            case 80:
                switch (i) {
                    case 1:
                        return "ECDHE_RSA";
                    case 4:
                        return "ECDH_anon";
                    case 40:
                        return "ECDHE_ECDSA";
                    default:
                        return "UNKNOWN";
                }
            case NID_kx_rsa /* 1037 */:
                return SSL_TXT_RSA;
            default:
                return "UNKNOWN";
        }
    }

    private boolean addCertificate(SSLHostConfigCertificate sSLHostConfigCertificate, Arena arena) throws Exception {
        MemorySegment BIO_new;
        String readLine;
        ConfigurationSource.Resource resource;
        MemorySegment memorySegment;
        MemorySegment PEM_read_bio_X509_AUX;
        MemorySegment findOrThrow;
        int certificateIndex = getCertificateIndex(sSLHostConfigCertificate);
        if (sSLHostConfigCertificate.getCertificateFile() == null) {
            String certificateKeyAlias = sSLHostConfigCertificate.getCertificateKeyAlias();
            X509KeyManager certificateKeyManager = sSLHostConfigCertificate.getCertificateKeyManager();
            if (certificateKeyAlias == null) {
                certificateKeyAlias = SSLUtilBase.DEFAULT_KEY_ALIAS;
            }
            X509Certificate[] certificateChain = certificateKeyManager.getCertificateChain(certificateKeyAlias);
            if (certificateChain == null) {
                certificateKeyAlias = findAlias(certificateKeyManager, sSLHostConfigCertificate);
                certificateChain = certificateKeyManager.getCertificateChain(certificateKeyAlias);
            }
            MemorySegment allocateFrom = arena.allocateFrom(ValueLayout.JAVA_BYTE, certificateChain[0].getEncoded());
            MemorySegment allocateFrom2 = arena.allocateFrom(ValueLayout.ADDRESS, allocateFrom);
            MemorySegment allocateFrom3 = arena.allocateFrom(ValueLayout.JAVA_BYTE, (BEGIN_KEY + Base64.getMimeEncoder(64, new byte[]{10}).encodeToString(certificateKeyManager.getPrivateKey(certificateKeyAlias).getEncoded()) + END_KEY).getBytes(StandardCharsets.US_ASCII));
            MemorySegment d2i_X509 = openssl_h.d2i_X509(MemorySegment.NULL, allocateFrom2, allocateFrom.byteSize());
            if (MemorySegment.NULL.equals(d2i_X509)) {
                logLastError("openssl.errorLoadingCertificate");
                return false;
            }
            BIO_new = openssl_h.BIO_new(openssl_h.BIO_s_mem());
            try {
                openssl_h.BIO_write(BIO_new, allocateFrom3, (int) allocateFrom3.byteSize());
                MemorySegment PEM_read_bio_PrivateKey = openssl_h.PEM_read_bio_PrivateKey(BIO_new, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
                if (MemorySegment.NULL.equals(PEM_read_bio_PrivateKey)) {
                    logLastError("openssl.errorLoadingPrivateKey");
                    openssl_h.BIO_free(BIO_new);
                    return false;
                }
                if (openssl_h.SSL_CTX_use_certificate(this.state.sslCtx, d2i_X509) <= 0) {
                    logLastError("openssl.errorLoadingCertificate");
                    openssl_h.BIO_free(BIO_new);
                    return false;
                }
                if (openssl_h.SSL_CTX_use_PrivateKey(this.state.sslCtx, PEM_read_bio_PrivateKey) <= 0) {
                    logLastError("openssl.errorLoadingPrivateKey");
                    openssl_h.BIO_free(BIO_new);
                    return false;
                }
                if (openssl_h.SSL_CTX_check_private_key(this.state.sslCtx) <= 0) {
                    logLastError("openssl.errorPrivateKeyCheck");
                    openssl_h.BIO_free(BIO_new);
                    return false;
                }
                if (OPENSSL_3) {
                    openssl_h_Macros.BIO_reset(BIO_new);
                    MemorySegment PEM_read_bio_Parameters = openssl_h.PEM_read_bio_Parameters(BIO_new, MemorySegment.NULL);
                    if (MemorySegment.NULL.equals(PEM_read_bio_Parameters)) {
                        openssl_h.SSL_CTX_ctrl(this.state.sslCtx, openssl_h.SSL_CTRL_SET_DH_AUTO(), 1L, MemorySegment.NULL);
                    } else {
                        int EVP_PKEY_get_bits = openssl_h.EVP_PKEY_get_bits(PEM_read_bio_Parameters);
                        if (openssl_h.SSL_CTX_set0_tmp_dh_pkey(this.state.sslCtx, PEM_read_bio_Parameters) <= 0) {
                            openssl_h.EVP_PKEY_free(PEM_read_bio_Parameters);
                        } else {
                            log.debug(sm.getString("openssl.setCustomDHParameters", Integer.valueOf(EVP_PKEY_get_bits), sSLHostConfigCertificate.getCertificateFile()));
                        }
                    }
                } else {
                    openssl_h.SSL_CTX_set_tmp_dh_callback(this.state.sslCtx, SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), this.contextArena));
                }
                for (int i = 1; i < certificateChain.length; i++) {
                    MemorySegment allocateFrom4 = arena.allocateFrom(ValueLayout.JAVA_BYTE, certificateChain[i].getEncoded());
                    MemorySegment d2i_X5092 = openssl_h.d2i_X509(MemorySegment.NULL, arena.allocateFrom(ValueLayout.ADDRESS, allocateFrom4), allocateFrom4.byteSize());
                    if (MemorySegment.NULL.equals(d2i_X5092)) {
                        logLastError("openssl.errorLoadingCertificate");
                        openssl_h.BIO_free(BIO_new);
                        return false;
                    }
                    if (openssl_h_Macros.SSL_CTX_add0_chain_cert(this.state.sslCtx, d2i_X5092) <= 0) {
                        logLastError("openssl.errorAddingCertificate");
                        openssl_h.BIO_free(BIO_new);
                        return false;
                    }
                }
                openssl_h.BIO_free(BIO_new);
                return true;
            } finally {
                openssl_h.BIO_free(BIO_new);
            }
        }
        String certificateKeyPassword = sSLHostConfigCertificate.getCertificateKeyPassword();
        if (certificateKeyPassword == null) {
            certificateKeyPassword = sSLHostConfigCertificate.getCertificateKeystorePassword();
        }
        String certificateKeyPasswordFile = sSLHostConfigCertificate.getCertificateKeyPasswordFile();
        if (certificateKeyPasswordFile == null) {
            certificateKeyPasswordFile = sSLHostConfigCertificate.getCertificateKeystorePasswordFile();
        }
        if (certificateKeyPasswordFile != null) {
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(ConfigFileLoader.getSource().getResource(certificateKeyPasswordFile).getInputStream(), StandardCharsets.UTF_8));
                try {
                    readLine = bufferedReader.readLine();
                    bufferedReader.close();
                } finally {
                }
            } catch (IOException e) {
                log.error(sm.getString("openssl.errorLoadingPassword", certificateKeyPasswordFile), e);
                return false;
            }
        } else {
            readLine = certificateKeyPassword;
        }
        try {
            ConfigurationSource.Resource resource2 = ConfigFileLoader.getSource().getResource(sSLHostConfigCertificate.getCertificateFile());
            try {
                byte[] readAllBytes = resource2.getInputStream().readAllBytes();
                if (resource2 != null) {
                    resource2.close();
                }
                MemorySegment allocateFrom5 = arena.allocateFrom(ValueLayout.JAVA_BYTE, readAllBytes);
                BIO_new = openssl_h.BIO_new(openssl_h.BIO_s_mem());
                try {
                    if (openssl_h.BIO_write(BIO_new, allocateFrom5, readAllBytes.length) <= 0) {
                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateFile(), getLastError()));
                        return false;
                    }
                    MemorySegment memorySegment2 = MemorySegment.NULL;
                    MemorySegment memorySegment3 = MemorySegment.NULL;
                    if (sSLHostConfigCertificate.getCertificateFile().endsWith(".pkcs12")) {
                        MemorySegment d2i_PKCS12_bio = openssl_h.d2i_PKCS12_bio(BIO_new, MemorySegment.NULL);
                        if (MemorySegment.NULL.equals(d2i_PKCS12_bio)) {
                            log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateFile(), getLastError()));
                            openssl_h.BIO_free(BIO_new);
                            return false;
                        }
                        MemorySegment memorySegment4 = MemorySegment.NULL;
                        int i2 = 0;
                        if (readLine != null && readLine.length() > 0) {
                            memorySegment4 = arena.allocateFrom(readLine);
                            i2 = (int) (memorySegment4.byteSize() - 1);
                        }
                        if (openssl_h.PKCS12_verify_mac(d2i_PKCS12_bio, memorySegment4, i2) <= 0) {
                            log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateFile(), getLastError()));
                            openssl_h.PKCS12_free(d2i_PKCS12_bio);
                            openssl_h.BIO_free(BIO_new);
                            return false;
                        }
                        MemorySegment allocate = arena.allocate(ValueLayout.ADDRESS);
                        MemorySegment allocate2 = arena.allocate(ValueLayout.ADDRESS);
                        if (openssl_h.PKCS12_parse(d2i_PKCS12_bio, memorySegment4, allocate2, allocate, MemorySegment.NULL) <= 0) {
                            log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateFile(), getLastError()));
                            openssl_h.PKCS12_free(d2i_PKCS12_bio);
                            openssl_h.BIO_free(BIO_new);
                            return false;
                        }
                        openssl_h.PKCS12_free(d2i_PKCS12_bio);
                        PEM_read_bio_X509_AUX = allocate.get(ValueLayout.ADDRESS, 0L);
                        memorySegment = allocate2.get(ValueLayout.ADDRESS, 0L);
                    } else {
                        String certificateFile = sSLHostConfigCertificate.getCertificateKeyFile() == null ? sSLHostConfigCertificate.getCertificateFile() : sSLHostConfigCertificate.getCertificateKeyFile();
                        try {
                            resource = ConfigFileLoader.getSource().getResource(certificateFile);
                            try {
                                byte[] readAllBytes2 = resource.getInputStream().readAllBytes();
                                if (resource != null) {
                                    resource.close();
                                }
                                MemorySegment allocateFrom6 = arena.allocateFrom(ValueLayout.JAVA_BYTE, readAllBytes2);
                                MemorySegment BIO_new2 = openssl_h.BIO_new(openssl_h.BIO_s_mem());
                                try {
                                    if (openssl_h.BIO_write(BIO_new2, allocateFrom6, readAllBytes2.length) <= 0) {
                                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", certificateFile, getLastError()));
                                        openssl_h.BIO_free(BIO_new2);
                                        openssl_h.BIO_free(BIO_new);
                                        return false;
                                    }
                                    memorySegment = MemorySegment.NULL;
                                    for (int i3 = 0; i3 < 3; i3++) {
                                        memorySegment = openssl_h.PEM_read_bio_PrivateKey(BIO_new2, MemorySegment.NULL, pem_password_cb.allocate(new PasswordCallback(readLine), this.contextArena), MemorySegment.NULL);
                                        if (!MemorySegment.NULL.equals(memorySegment)) {
                                            break;
                                        }
                                        openssl_h_Macros.BIO_reset(BIO_new2);
                                    }
                                    openssl_h.BIO_free(BIO_new2);
                                    if (MemorySegment.NULL.equals(memorySegment) && !MemorySegment.NULL.equals(OpenSSLLibrary.enginePointer)) {
                                        memorySegment = openssl_h.ENGINE_load_private_key(OpenSSLLibrary.enginePointer, arena.allocateFrom(SSLHostConfig.adjustRelativePath(certificateFile)), MemorySegment.NULL, MemorySegment.NULL);
                                    }
                                    if (MemorySegment.NULL.equals(memorySegment)) {
                                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", certificateFile, getLastError()));
                                        openssl_h.BIO_free(BIO_new);
                                        return false;
                                    }
                                    PEM_read_bio_X509_AUX = openssl_h.PEM_read_bio_X509_AUX(BIO_new, MemorySegment.NULL, pem_password_cb.allocate(new PasswordCallback(readLine), this.contextArena), MemorySegment.NULL);
                                    if (MemorySegment.NULL.equals(PEM_read_bio_X509_AUX) && (openssl_h.ERR_peek_last_error() & openssl_h.ERR_REASON_MASK()) == openssl_h.PEM_R_NO_START_LINE()) {
                                        openssl_h.ERR_clear_error();
                                        openssl_h_Macros.BIO_reset(BIO_new);
                                        PEM_read_bio_X509_AUX = openssl_h.d2i_X509_bio(BIO_new, MemorySegment.NULL);
                                    }
                                    if (MemorySegment.NULL.equals(PEM_read_bio_X509_AUX)) {
                                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateFile(), getLastError()));
                                        openssl_h.BIO_free(BIO_new);
                                        return false;
                                    }
                                } finally {
                                    openssl_h.BIO_free(BIO_new2);
                                }
                            } finally {
                            }
                        } catch (IOException e2) {
                            log.error(sm.getString("openssl.errorLoadingCertificate", certificateFile), e2);
                            openssl_h.BIO_free(BIO_new);
                            return false;
                        }
                    }
                    if (openssl_h.SSL_CTX_use_certificate(this.state.sslCtx, PEM_read_bio_X509_AUX) <= 0) {
                        logLastError("openssl.errorLoadingCertificate");
                        openssl_h.BIO_free(BIO_new);
                        return false;
                    }
                    if (openssl_h.SSL_CTX_use_PrivateKey(this.state.sslCtx, memorySegment) <= 0) {
                        logLastError("openssl.errorLoadingPrivateKey");
                        openssl_h.BIO_free(BIO_new);
                        return false;
                    }
                    if (openssl_h.SSL_CTX_check_private_key(this.state.sslCtx) <= 0) {
                        logLastError("openssl.errorPrivateKeyCheck");
                        openssl_h.BIO_free(BIO_new);
                        return false;
                    }
                    if (certificateIndex == 0) {
                        openssl_h_Macros.BIO_reset(BIO_new);
                        if (OPENSSL_3) {
                            MemorySegment PEM_read_bio_Parameters2 = openssl_h.PEM_read_bio_Parameters(BIO_new, MemorySegment.NULL);
                            if (MemorySegment.NULL.equals(PEM_read_bio_Parameters2)) {
                                openssl_h.SSL_CTX_ctrl(this.state.sslCtx, openssl_h.SSL_CTRL_SET_DH_AUTO(), 1L, MemorySegment.NULL);
                            } else {
                                int EVP_PKEY_get_bits2 = openssl_h.EVP_PKEY_get_bits(PEM_read_bio_Parameters2);
                                if (openssl_h.SSL_CTX_set0_tmp_dh_pkey(this.state.sslCtx, PEM_read_bio_Parameters2) <= 0) {
                                    openssl_h.EVP_PKEY_free(PEM_read_bio_Parameters2);
                                } else {
                                    log.debug(sm.getString("openssl.setCustomDHParameters", Integer.valueOf(EVP_PKEY_get_bits2), sSLHostConfigCertificate.getCertificateFile()));
                                }
                            }
                        } else {
                            MemorySegment PEM_read_bio_DHparams = openssl_h.PEM_read_bio_DHparams(BIO_new, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
                            if (!MemorySegment.NULL.equals(PEM_read_bio_DHparams)) {
                                openssl_h_Macros.SSL_CTX_set_tmp_dh(this.state.sslCtx, PEM_read_bio_DHparams);
                                openssl_h.DH_free(PEM_read_bio_DHparams);
                            }
                        }
                    }
                    openssl_h_Macros.BIO_reset(BIO_new);
                    if (OPENSSL_3) {
                        findOrThrow = openssl_h.findOrThrow("d2i_ECPKParameters");
                        MemorySegment PEM_ASN1_read_bio = openssl_h.PEM_ASN1_read_bio(findOrThrow, openssl_h.PEM_STRING_ECPARAMETERS(), BIO_new, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
                        if (!MemorySegment.NULL.equals(PEM_ASN1_read_bio)) {
                            int EC_GROUP_get_curve_name = openssl_h.EC_GROUP_get_curve_name(PEM_ASN1_read_bio);
                            if (openssl_h_Macros.SSL_CTX_set1_groups(this.state.sslCtx, arena.allocateFrom(ValueLayout.JAVA_INT, EC_GROUP_get_curve_name), 1) <= 0) {
                                EC_GROUP_get_curve_name = 0;
                            }
                            if (log.isDebugEnabled()) {
                                log.debug(sm.getString("openssl.setECDHCurve", Integer.valueOf(EC_GROUP_get_curve_name), sSLHostConfigCertificate.getCertificateFile()));
                            }
                            openssl_h.EC_GROUP_free(PEM_ASN1_read_bio);
                        }
                    } else {
                        MemorySegment PEM_read_bio_ECPKParameters = openssl_h.PEM_read_bio_ECPKParameters(BIO_new, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
                        if (!MemorySegment.NULL.equals(PEM_read_bio_ECPKParameters)) {
                            MemorySegment EC_KEY_new_by_curve_name = openssl_h.EC_KEY_new_by_curve_name(openssl_h.EC_GROUP_get_curve_name(PEM_read_bio_ECPKParameters));
                            openssl_h_Macros.SSL_CTX_set_tmp_ecdh(this.state.sslCtx, EC_KEY_new_by_curve_name);
                            openssl_h.EC_KEY_free(EC_KEY_new_by_curve_name);
                            openssl_h.EC_GROUP_free(PEM_read_bio_ECPKParameters);
                        }
                        openssl_h.SSL_CTX_set_tmp_dh_callback(this.state.sslCtx, SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), this.contextArena));
                    }
                    if (sSLHostConfigCertificate.getCertificateChainFile() != null) {
                        try {
                            resource = ConfigFileLoader.getSource().getResource(sSLHostConfigCertificate.getCertificateChainFile());
                            try {
                                byte[] readAllBytes3 = resource.getInputStream().readAllBytes();
                                if (resource != null) {
                                    resource.close();
                                }
                                MemorySegment allocateFrom7 = arena.allocateFrom(ValueLayout.JAVA_BYTE, readAllBytes3);
                                MemorySegment BIO_new3 = openssl_h.BIO_new(openssl_h.BIO_s_mem());
                                try {
                                    if (openssl_h.BIO_write(BIO_new3, allocateFrom7, readAllBytes3.length) <= 0) {
                                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateChainFile(), getLastError()));
                                        openssl_h.BIO_free(BIO_new3);
                                        openssl_h.BIO_free(BIO_new);
                                        return false;
                                    }
                                    for (MemorySegment PEM_read_bio_X509_AUX2 = openssl_h.PEM_read_bio_X509_AUX(BIO_new3, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); !MemorySegment.NULL.equals(PEM_read_bio_X509_AUX2); PEM_read_bio_X509_AUX2 = openssl_h.PEM_read_bio_X509_AUX(BIO_new3, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL)) {
                                        if (openssl_h_Macros.SSL_CTX_add0_chain_cert(this.state.sslCtx, PEM_read_bio_X509_AUX2) <= 0) {
                                            log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateChainFile(), getLastError()));
                                        }
                                    }
                                    if ((openssl_h.ERR_peek_last_error() & openssl_h.ERR_REASON_MASK()) == openssl_h.PEM_R_NO_START_LINE()) {
                                        openssl_h.ERR_clear_error();
                                    } else {
                                        log.error(sm.getString("openssl.errorLoadingCertificateWithError", sSLHostConfigCertificate.getCertificateChainFile(), getLastError()));
                                    }
                                    openssl_h.BIO_free(BIO_new3);
                                } finally {
                                    openssl_h.BIO_free(BIO_new3);
                                }
                            } finally {
                            }
                        } catch (IOException e3) {
                            log.error(sm.getString("openssl.errorLoadingCertificate", sSLHostConfigCertificate.getCertificateChainFile()), e3);
                            openssl_h.BIO_free(BIO_new);
                            return false;
                        }
                    }
                    MemorySegment SSL_CTX_get_cert_store = openssl_h.SSL_CTX_get_cert_store(this.state.sslCtx);
                    if (this.sslHostConfig.getCertificateRevocationListFile() != null && openssl_h_Macros.X509_LOOKUP_load_file(openssl_h.X509_STORE_add_lookup(SSL_CTX_get_cert_store, openssl_h.X509_LOOKUP_file()), arena.allocateFrom(SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCertificateRevocationListFile())), openssl_h.X509_FILETYPE_PEM()) <= 0) {
                        log.error(sm.getString("openssl.errorLoadingCertificateRevocationListWithError", this.sslHostConfig.getCertificateRevocationListFile(), getLastError()));
                    }
                    if (this.sslHostConfig.getCertificateRevocationListPath() != null && openssl_h_Macros.X509_LOOKUP_add_dir(openssl_h.X509_STORE_add_lookup(SSL_CTX_get_cert_store, openssl_h.X509_LOOKUP_hash_dir()), arena.allocateFrom(SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCertificateRevocationListPath())), openssl_h.X509_FILETYPE_PEM()) <= 0) {
                        log.error(sm.getString("openssl.errorLoadingCertificateRevocationListWithError", this.sslHostConfig.getCertificateRevocationListPath(), getLastError()));
                    }
                    openssl_h.X509_STORE_set_flags(SSL_CTX_get_cert_store, openssl_h.X509_V_FLAG_CRL_CHECK() | openssl_h.X509_V_FLAG_CRL_CHECK_ALL());
                    openssl_h.BIO_free(BIO_new);
                    return true;
                } catch (Throwable th) {
                    openssl_h.BIO_free(BIO_new);
                    throw th;
                }
            } catch (Throwable th2) {
                if (resource2 != null) {
                    try {
                        resource2.close();
                    } catch (Throwable th3) {
                        th2.addSuppressed(th3);
                    }
                }
                throw th2;
            }
        } catch (IOException e4) {
            log.error(sm.getString("openssl.errorLoadingCertificate", sSLHostConfigCertificate.getCertificateFile()), e4);
            return false;
        }
    }

    private static int getCertificateIndex(SSLHostConfigCertificate sSLHostConfigCertificate) {
        return (sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.RSA || sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.UNDEFINED) ? 0 : sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.EC ? 3 : sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.DSA ? 1 : 4;
    }

    private static String findAlias(X509KeyManager x509KeyManager, SSLHostConfigCertificate sSLHostConfigCertificate) {
        SSLHostConfigCertificate.Type type = sSLHostConfigCertificate.getType();
        String str = null;
        ArrayList arrayList = new ArrayList();
        if (SSLHostConfigCertificate.Type.UNDEFINED.equals(type)) {
            arrayList.addAll(Arrays.asList(SSLHostConfigCertificate.Type.values()));
            arrayList.remove(SSLHostConfigCertificate.Type.UNDEFINED);
        } else {
            arrayList.add(type);
        }
        Iterator it = arrayList.iterator();
        while (str == null && it.hasNext()) {
            str = x509KeyManager.chooseServerAlias(((SSLHostConfigCertificate.Type) it.next()).toString(), null, null);
        }
        return str;
    }

    private static X509TrustManager chooseTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException(sm.getString("openssl.trustManagerMissing"));
    }

    private static X509Certificate[] certificates(byte[][] bArr) {
        X509Certificate[] x509CertificateArr = new X509Certificate[bArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = new OpenSSLX509Certificate(bArr[i]);
        }
        return x509CertificateArr;
    }

    private static void logLastError(String str) {
        String lastError = getLastError();
        if (lastError != null) {
            log.error(sm.getString(str, lastError));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v1 */
    /* JADX WARN: Type inference failed for: r2v2 */
    /* JADX WARN: Type inference failed for: r2v4 */
    public static String getLastError() {
        long ERR_get_error;
        String str = null;
        long ERR_get_error2 = openssl_h.ERR_get_error();
        if (ERR_get_error2 != openssl_h.SSL_ERROR_NONE()) {
            Arena ofConfined = Arena.ofConfined();
            do {
                try {
                    MemorySegment allocate = ofConfined.allocate(ValueLayout.JAVA_BYTE, 256L);
                    ?? r2 = 256;
                    openssl_h.ERR_error_string_n(ERR_get_error2, allocate, 256);
                    String string = allocate.getString(0L);
                    if (str == null) {
                        str = string;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("engine.openSSLError", Long.toString(ERR_get_error2), string));
                        r2 = "engine.openSSLError";
                    }
                    ERR_get_error = openssl_h.ERR_get_error();
                    ERR_get_error2 = ERR_get_error;
                } catch (Throwable th) {
                    if (ofConfined != null) {
                        try {
                            ofConfined.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } while (ERR_get_error != openssl_h.SSL_ERROR_NONE());
            if (ofConfined != null) {
                ofConfined.close();
            }
        }
        return str;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLSessionContext getServerSessionContext() {
        return this.sessionContext;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLEngine createSSLEngine() {
        return new OpenSSLEngine(cleaner, this.state.sslCtx, "TLS", false, this.sessionContext, this.alpn, this.initialized, this.sslHostConfig.getCertificateVerificationDepth(), this.sslHostConfig.getCertificateVerification() == SSLHostConfig.CertificateVerification.OPTIONAL_NO_CA, this.noOcspCheck);
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLServerSocketFactory getServerSocketFactory() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLParameters getSupportedSSLParameters() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public X509Certificate[] getCertificateChain(String str) {
        X509Certificate[] x509CertificateArr = null;
        X509KeyManager certificateKeyManager = this.certificate.getCertificateKeyManager();
        if (certificateKeyManager != null) {
            if (str == null) {
                str = SSLUtilBase.DEFAULT_KEY_ALIAS;
            }
            x509CertificateArr = certificateKeyManager.getCertificateChain(str);
            if (x509CertificateArr == null) {
                x509CertificateArr = certificateKeyManager.getCertificateChain(findAlias(certificateKeyManager, this.certificate));
            }
        }
        return x509CertificateArr;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = null;
        if (this.x509TrustManager != null) {
            x509CertificateArr = this.x509TrustManager.getAcceptedIssuers();
        }
        return x509CertificateArr;
    }

    static {
        try {
            X509_CERT_FACTORY = CertificateFactory.getInstance("X.509");
            OPENSSL_3 = openssl_h.OpenSSL_version_num() >= 805306383;
        } catch (CertificateException e) {
            throw new IllegalStateException(sm.getString("openssl.X509FactoryError"), e);
        }
    }
}
