package de.gematik.test.tiger.mockserver.socket.tls;

import de.gematik.test.tiger.mockserver.configuration.Configuration;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import java.util.stream.Stream;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.1.2.jar:de/gematik/test/tiger/mockserver/socket/tls/NettySslContextFactory.class */
public class NettySslContextFactory {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) NettySslContextFactory.class);
    private final Configuration configuration;
    private final boolean forServer;
    private final Map<String, SslContext> clientSslContexts = new ConcurrentHashMap();
    private SslContext serverSslContext = null;
    private final KeyAndCertificateFactory keyAndCertificateFactory = createKeyAndCertificateFactory();

    public NettySslContextFactory(Configuration configuration, boolean z) {
        this.configuration = configuration;
        this.forServer = z;
        System.setProperty("https.protocols", configuration.tlsProtocols());
        configuration.nettySslContextFactoryCustomizer().accept(this);
        if (configuration.proactivelyInitialiseTLS()) {
            createServerSslContext();
        }
    }

    public KeyAndCertificateFactory createKeyAndCertificateFactory() {
        if (this.configuration.customKeyAndCertificateFactorySupplier() != null) {
            return this.configuration.customKeyAndCertificateFactorySupplier().buildKeyAndCertificateFactory(this.forServer, this.configuration);
        }
        throw new RuntimeException("No KeyAndCertificateFactorySupplier supplied!");
    }

    public synchronized SslContext createClientSslContext(boolean z) {
        SslContext sslContext = this.clientSslContexts.get("enableHttp2=" + z);
        return (sslContext == null || this.configuration.rebuildTLSContext()) ? buildFreshClientSslContext(z) : sslContext;
    }

    private SslContext buildFreshClientSslContext(boolean z) {
        try {
            if (this.keyAndCertificateFactory.certificateNotYetCreated()) {
                this.keyAndCertificateFactory.buildAndSavePrivateKeyAndX509Certificate();
            }
            SslContextBuilder keyManager = SslContextBuilder.forClient().protocols(this.configuration.tlsProtocols().split(",")).keyManager(forwardProxyPrivateKey(), forwardProxyCertificateChain());
            if (z) {
                configureALPN(keyManager);
            }
            switch (this.configuration.forwardProxyTLSX509CertificatesTrustManagerType()) {
                case ANY:
                    keyManager.trustManager(InsecureTrustManagerFactory.INSTANCE);
                    break;
                case JVM:
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(this.keyAndCertificateFactory.x509Certificate());
                    arrayList.add(this.keyAndCertificateFactory.certificateAuthorityX509Certificate());
                    keyManager.trustManager(jvmCAX509TrustCertificates(arrayList));
                    break;
                case CUSTOM:
                    keyManager.trustManager(customCAX509TrustCertificates());
                    break;
            }
            SslContext buildClientSslContext = buildClientSslContext((SslContextBuilder) this.configuration.sslClientContextBuilderCustomizer().apply(keyManager));
            this.clientSslContexts.put("enableHttp2=" + z, buildClientSslContext);
            this.configuration.rebuildTLSContext(false);
            return buildClientSslContext;
        } catch (Exception e) {
            throw new RuntimeException("Exception creating SSL context for client", e);
        }
    }

    private SslContext buildClientSslContext(SslContextBuilder sslContextBuilder) throws SSLException {
        return this.configuration.clientSslContextBuilderFunction() == null ? sslContextBuilder.build() : this.configuration.clientSslContextBuilderFunction().apply(sslContextBuilder);
    }

    private PrivateKey forwardProxyPrivateKey() {
        return this.keyAndCertificateFactory.privateKey();
    }

    private X509Certificate[] forwardProxyCertificateChain() {
        return (X509Certificate[]) this.keyAndCertificateFactory.certificateChain().toArray(new X509Certificate[0]);
    }

    private X509Certificate[] jvmCAX509TrustCertificates(List<X509Certificate> list) throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        Stream stream = Arrays.stream(trustManagerFactory.getTrustManagers());
        Class<X509TrustManager> cls = X509TrustManager.class;
        Objects.requireNonNull(X509TrustManager.class);
        return (X509Certificate[]) ((List) stream.filter((v1) -> {
            return r1.isInstance(v1);
        }).flatMap(trustManager -> {
            return Arrays.stream(((X509TrustManager) trustManager).getAcceptedIssuers());
        }).collect(() -> {
            return list;
        }, (v0, v1) -> {
            v0.add(v1);
        }, (v0, v1) -> {
            v0.addAll(v1);
        })).toArray(new X509Certificate[0]);
    }

    private X509Certificate[] customCAX509TrustCertificates() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.keyAndCertificateFactory.x509Certificate());
        arrayList.add(this.keyAndCertificateFactory.certificateAuthorityX509Certificate());
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    public synchronized SslContext createServerSslContext() {
        if (this.serverSslContext != null && !this.keyAndCertificateFactory.certificateNotYetCreated() && (!this.configuration.rebuildServerTlsContext() || this.configuration.preventCertificateDynamicUpdate())) {
            return this.serverSslContext;
        }
        try {
            this.keyAndCertificateFactory.buildAndSavePrivateKeyAndX509Certificate();
            log.debug("using certificate authority serial:{}issuer:{}subject:{}and certificate serial:{}issuer:{}subject:{}", this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getSerialNumber(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getIssuerX500Principal(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getSubjectX500Principal(), this.keyAndCertificateFactory.x509Certificate().getSerialNumber(), this.keyAndCertificateFactory.x509Certificate().getIssuerX500Principal(), this.keyAndCertificateFactory.x509Certificate().getSubjectX500Principal());
            SslContextBuilder clientAuth = SslContextBuilder.forServer(this.keyAndCertificateFactory.privateKey(), this.keyAndCertificateFactory.certificateChain()).protocols(this.configuration.tlsProtocols().split(",")).clientAuth(this.configuration.tlsMutualAuthenticationRequired().booleanValue() ? ClientAuth.REQUIRE : ClientAuth.OPTIONAL);
            configureALPN(clientAuth);
            clientAuth.trustManager(InsecureTrustManagerFactory.INSTANCE);
            this.serverSslContext = ((SslContextBuilder) this.configuration.sslServerContextBuilderCustomizer().apply(clientAuth)).build();
            this.configuration.rebuildServerTlsContext(false);
            return this.serverSslContext;
        } catch (Exception e) {
            log.error("Exception creating SSL context for server", (Throwable) e);
            throw new RuntimeException("exception creating SSL context for server", e);
        }
    }

    private static void configureALPN(SslContextBuilder sslContextBuilder) {
        Consumer consumer = sslContextBuilder2 -> {
            sslContextBuilder2.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1));
        };
        if (SslProvider.isAlpnSupported(SslContext.defaultServerProvider())) {
            consumer.accept(sslContextBuilder.sslProvider(SslContext.defaultServerProvider()));
        } else if (SslProvider.isAlpnSupported(SslProvider.JDK)) {
            consumer.accept(sslContextBuilder.sslProvider(SslProvider.JDK));
        } else if (SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
            consumer.accept(sslContextBuilder.sslProvider(SslProvider.OPENSSL));
        }
    }
}
