package de.gematik.test.tiger.mockserver.socket.tls;

import de.gematik.test.tiger.mockserver.configuration.Configuration;
import de.gematik.test.tiger.mockserver.model.Protocol;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.AbstractSniHandler;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.OpenSslEngine;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.AttributeKey;
import io.netty.util.ReferenceCountUtil;
import io.netty.util.concurrent.Future;
import io.netty.util.internal.PlatformDependent;
import java.security.cert.Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.1.2.jar:de/gematik/test/tiger/mockserver/socket/tls/SniHandler.class */
public class SniHandler extends AbstractSniHandler<SslContext> {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SniHandler.class);
    public static final AttributeKey<SSLEngine> UPSTREAM_SSL_ENGINE = AttributeKey.valueOf("UPSTREAM_SSL_ENGINE");
    public static final AttributeKey<SslHandler> UPSTREAM_SSL_HANDLER = AttributeKey.valueOf("UPSTREAM_SSL_HANDLER");
    public static final AttributeKey<Certificate[]> UPSTREAM_CLIENT_CERTIFICATES = AttributeKey.valueOf("UPSTREAM_CLIENT_CERTIFICATES");
    public static final AttributeKey<SSLSession> SSL_SESSION = AttributeKey.valueOf("SSL_SESSION");
    public static final AttributeKey<Protocol> NEGOTIATED_APPLICATION_PROTOCOL = AttributeKey.valueOf("NEGOTIATED_APPLICATION_PROTOCOL");
    private final Configuration configuration;
    private final NettySslContextFactory nettySslContextFactory;

    public SniHandler(Configuration configuration, NettySslContextFactory nettySslContextFactory) {
        this.configuration = configuration;
        this.nettySslContextFactory = nettySslContextFactory;
    }

    @Override // io.netty.handler.ssl.AbstractSniHandler
    protected Future<SslContext> lookup(ChannelHandlerContext channelHandlerContext, String str) {
        if (StringUtils.isNotBlank(str)) {
            this.configuration.addSubjectAlternativeName(str);
        }
        return channelHandlerContext.executor().newSucceededFuture(this.nettySslContextFactory.createServerSslContext());
    }

    @Override // io.netty.handler.ssl.AbstractSniHandler
    protected void onLookupComplete(ChannelHandlerContext channelHandlerContext, String str, Future<SslContext> future) {
        if (!future.isSuccess()) {
            Throwable cause = future.cause();
            if (!(cause instanceof Error)) {
                throw new DecoderException("Failed to get the SslContext for " + str, cause);
            }
            throw ((Error) cause);
        }
        try {
            replaceHandler(channelHandlerContext, future);
        } catch (RuntimeException e) {
            PlatformDependent.throwException(e);
        }
    }

    private void replaceHandler(ChannelHandlerContext channelHandlerContext, Future<SslContext> future) {
        SslHandler sslHandler = null;
        try {
            sslHandler = future.getNow().newHandler(channelHandlerContext.alloc());
            SSLEngine engine = sslHandler.engine();
            if (engine instanceof OpenSslEngine) {
                OpenSslEngine openSslEngine = (OpenSslEngine) engine;
                if (this.configuration.ocspResponseSupplier() != null) {
                    try {
                        openSslEngine.setOcspResponse(this.configuration.ocspResponseSupplier().apply(((NettySslContextFactory) channelHandlerContext.channel().attr(AttributeKey.valueOf("NETTY_SSL_CONTEXT_FACTORY")).get()).createKeyAndCertificateFactory().x509Certificate()));
                    } catch (Exception e) {
                        log.warn("Failed to set OCSP response", (Throwable) e);
                    }
                }
            }
            channelHandlerContext.channel().attr(UPSTREAM_SSL_ENGINE).set(sslHandler.engine());
            channelHandlerContext.channel().attr(UPSTREAM_SSL_HANDLER).set(sslHandler);
            channelHandlerContext.pipeline().replace(this, "SslHandler#0", sslHandler);
            sslHandler = null;
            if (0 != 0) {
                ReferenceCountUtil.safeRelease(sslHandler.engine());
            }
        } catch (Throwable th) {
            if (sslHandler != null) {
                ReferenceCountUtil.safeRelease(sslHandler.engine());
            }
            throw th;
        }
    }

    public static Certificate[] retrieveClientCertificates(ChannelHandlerContext channelHandlerContext) {
        SSLEngine sSLEngine;
        SSLSession session;
        Certificate[] certificateArr = null;
        if (channelHandlerContext.channel().attr(UPSTREAM_CLIENT_CERTIFICATES).get() != null) {
            certificateArr = (Certificate[]) channelHandlerContext.channel().attr(UPSTREAM_CLIENT_CERTIFICATES).get();
        } else if (channelHandlerContext.channel().attr(UPSTREAM_SSL_ENGINE).get() != null && (sSLEngine = (SSLEngine) channelHandlerContext.channel().attr(UPSTREAM_SSL_ENGINE).get()) != null && (session = sSLEngine.getSession()) != null) {
            try {
                channelHandlerContext.channel().attr(SSL_SESSION).set(session);
                Certificate[] peerCertificates = session.getPeerCertificates();
                channelHandlerContext.channel().attr(UPSTREAM_CLIENT_CERTIFICATES).set(peerCertificates);
                return peerCertificates;
            } catch (SSLPeerUnverifiedException e) {
                log.trace("no client certificate chain as client did not complete mTLS");
            }
        }
        return certificateArr;
    }

    public static Protocol getALPNProtocol(ChannelHandlerContext channelHandlerContext) {
        Protocol protocol = null;
        if (channelHandlerContext != null) {
            try {
                if (channelHandlerContext.channel() != null) {
                    if (channelHandlerContext.channel().attr(NEGOTIATED_APPLICATION_PROTOCOL).get() != null) {
                        return (Protocol) channelHandlerContext.channel().attr(NEGOTIATED_APPLICATION_PROTOCOL).get();
                    }
                    if (channelHandlerContext.channel().attr(UPSTREAM_SSL_HANDLER).get() != null) {
                        String applicationProtocol = ((SslHandler) channelHandlerContext.channel().attr(UPSTREAM_SSL_HANDLER).get()).applicationProtocol();
                        if (StringUtils.isNotBlank(applicationProtocol)) {
                            if (applicationProtocol.equalsIgnoreCase(ApplicationProtocolNames.HTTP_2)) {
                                protocol = Protocol.HTTP_2;
                            } else if (applicationProtocol.equalsIgnoreCase(ApplicationProtocolNames.HTTP_1_1)) {
                                protocol = Protocol.HTTP_1_1;
                            }
                            channelHandlerContext.channel().attr(NEGOTIATED_APPLICATION_PROTOCOL).set(protocol);
                            log.trace("found ALPN protocol:{}", applicationProtocol);
                        }
                    }
                }
            } catch (RuntimeException e) {
                log.warn("exception reading ALPN protocol", (Throwable) e);
            }
        }
        return protocol;
    }
}
