package de.gematik.test.tiger.mockserver.socket.tls;

import de.gematik.test.tiger.common.pki.TigerPkiIdentity;
import de.gematik.test.tiger.mockserver.configuration.MockServerConfiguration;
import de.gematik.test.tiger.mockserver.model.HttpProtocol;
import de.gematik.test.tiger.proxy.exceptions.TigerProxySslException;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import javax.net.ssl.SSLException;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.7.1.jar:de/gematik/test/tiger/mockserver/socket/tls/NettySslContextFactory.class */
public class NettySslContextFactory {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) NettySslContextFactory.class);
    private final MockServerConfiguration configuration;
    private final boolean forServer;
    private final Map<Pair<HttpProtocol, String>, SslContext> clientSslContexts = new ConcurrentHashMap();
    private Pair<SslContext, TigerPkiIdentity> serverSslContextAndIdentity = null;
    private final KeyAndCertificateFactory keyAndCertificateFactory = createKeyAndCertificateFactory();

    public NettySslContextFactory(MockServerConfiguration mockServerConfiguration, boolean z) {
        this.configuration = mockServerConfiguration;
        this.forServer = z;
        System.setProperty("https.protocols", mockServerConfiguration.tlsProtocols());
        mockServerConfiguration.nettySslContextFactoryCustomizer().accept(this);
    }

    public KeyAndCertificateFactory createKeyAndCertificateFactory() {
        if (this.forServer) {
            if (this.configuration.serverKeyAndCertificateFactory() == null) {
                throw new TigerProxySslException("No serverKeyAndCertificateFactory found!");
            }
            return this.configuration.serverKeyAndCertificateFactory();
        }
        if (this.configuration.clientKeyAndCertificateFactory() == null) {
            throw new TigerProxySslException("No clientKeyAndCertificateFactory found!");
        }
        return this.configuration.clientKeyAndCertificateFactory();
    }

    public synchronized SslContext createClientSslContext(Optional<HttpProtocol> optional) {
        return createClientSslContext(optional, (String) null);
    }

    public synchronized SslContext createClientSslContext(Optional<HttpProtocol> optional, String str) {
        return createClientSslContext(optional.orElse(HttpProtocol.HTTP_1_1), str);
    }

    public synchronized SslContext createClientSslContext(HttpProtocol httpProtocol, String str) {
        SslContext sslContext = this.clientSslContexts.get(Pair.of(httpProtocol, str));
        return sslContext != null ? sslContext : buildFreshClientSslContext(httpProtocol, str);
    }

    private SslContext buildFreshClientSslContext(HttpProtocol httpProtocol, String str) {
        try {
            TigerPkiIdentity resolveIdentityForHostname = this.keyAndCertificateFactory.resolveIdentityForHostname(str);
            SslContextBuilder keyManager = SslContextBuilder.forClient().protocols(this.configuration.tlsProtocols().split(",")).keyManager(resolveIdentityForHostname.getPrivateKey(), resolveIdentityForHostname.buildChainWithCertificate());
            if (httpProtocol == HttpProtocol.HTTP_2) {
                configureALPN(keyManager);
            }
            keyManager.trustManager(InsecureTrustManagerFactory.INSTANCE);
            SslContext buildClientSslContext = buildClientSslContext((SslContextBuilder) this.configuration.sslClientContextBuilderCustomizer().apply(keyManager));
            this.clientSslContexts.put(Pair.of(httpProtocol, str), buildClientSslContext);
            return buildClientSslContext;
        } catch (Exception e) {
            throw new RuntimeException("Exception creating SSL context for client", e);
        }
    }

    private SslContext buildClientSslContext(SslContextBuilder sslContextBuilder) throws SSLException {
        return this.configuration.clientSslContextBuilderFunction() == null ? sslContextBuilder.build() : this.configuration.clientSslContextBuilderFunction().apply(sslContextBuilder);
    }

    public synchronized Pair<SslContext, TigerPkiIdentity> createServerSslContext(String str) {
        if (this.serverSslContextAndIdentity != null && !this.configuration.rebuildServerTlsContext()) {
            log.info("Using existing server SSL context for {}", str);
            return this.serverSslContextAndIdentity;
        }
        log.info("Creating new server SSL context for {}", str);
        try {
            TigerPkiIdentity resolveIdentityForHostname = this.keyAndCertificateFactory.resolveIdentityForHostname(str);
            log.atInfo().addArgument(() -> {
                return resolveIdentityForHostname.getCertificate().getSubjectX500Principal();
            }).addArgument(() -> {
                return resolveIdentityForHostname.getCertificate().getIssuerX500Principal();
            }).log("Using Server Certificate '{}', issued by '{}'");
            SslContextBuilder clientAuth = SslContextBuilder.forServer(resolveIdentityForHostname.getPrivateKey(), resolveIdentityForHostname.buildChainWithCertificate()).protocols(this.configuration.tlsProtocols().split(",")).clientAuth(ClientAuth.OPTIONAL);
            configureALPN(clientAuth);
            clientAuth.trustManager(InsecureTrustManagerFactory.INSTANCE);
            this.serverSslContextAndIdentity = Pair.of(((SslContextBuilder) this.configuration.sslServerContextBuilderCustomizer().apply(clientAuth)).build(), resolveIdentityForHostname);
            this.configuration.rebuildServerTlsContext(false);
            return this.serverSslContextAndIdentity;
        } catch (RuntimeException | SSLException e) {
            log.error("Exception creating SSL context for server", (Throwable) e);
            throw new TigerProxySslException("exception creating SSL context for server", e);
        }
    }

    private static void configureALPN(SslContextBuilder sslContextBuilder) {
        Consumer consumer = sslContextBuilder2 -> {
            sslContextBuilder2.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_1_1));
        };
        if (SslProvider.isAlpnSupported(SslContext.defaultServerProvider())) {
            consumer.accept(sslContextBuilder.sslProvider(SslContext.defaultServerProvider()));
        } else if (SslProvider.isAlpnSupported(SslProvider.JDK)) {
            consumer.accept(sslContextBuilder.sslProvider(SslProvider.JDK));
        } else if (SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
            consumer.accept(sslContextBuilder.sslProvider(SslProvider.OPENSSL));
        }
    }
}
