package io.quarkus.tls.runtime.keystores;

import io.quarkus.tls.runtime.config.TrustStoreConfig;
import io.smallrye.mutiny.unchecked.Unchecked;
import io.smallrye.mutiny.unchecked.UncheckedFunction;
import io.vertx.core.Vertx;
import io.vertx.core.net.TrustOptions;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.function.Function;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.TrustManagerFactorySpi;
import javax.net.ssl.X509TrustManager;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/tls/runtime/keystores/ExpiryTrustOptions.class */
public class ExpiryTrustOptions implements TrustOptions {
    private final TrustOptions delegate;
    private final TrustStoreConfig.CertificateExpiryPolicy policy;
    private static final Logger LOGGER = Logger.getLogger(ExpiryTrustOptions.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/tls/runtime/keystores/ExpiryTrustOptions$ExpiryAwareX509TrustManager.class */
    public class ExpiryAwareX509TrustManager implements X509TrustManager {
        final X509TrustManager tm;

        private ExpiryAwareX509TrustManager(X509TrustManager x509TrustManager) {
            this.tm = x509TrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyExpiration(x509CertificateArr);
            this.tm.checkClientTrusted(x509CertificateArr, str);
        }

        private void verifyExpiration(X509Certificate[] x509CertificateArr) throws CertificateExpiredException, CertificateNotYetValidException {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (ExpiryTrustOptions.this.policy == TrustStoreConfig.CertificateExpiryPolicy.REJECT) {
                        ExpiryTrustOptions.LOGGER.error("A certificate has expired - rejecting", e);
                        throw e;
                    }
                    ExpiryTrustOptions.LOGGER.warn("A certificate has expired", e);
                } catch (CertificateNotYetValidException e2) {
                    if (ExpiryTrustOptions.this.policy == TrustStoreConfig.CertificateExpiryPolicy.REJECT) {
                        ExpiryTrustOptions.LOGGER.error("A certificate is not yet valid - rejecting", e2);
                        throw e2;
                    }
                    ExpiryTrustOptions.LOGGER.warn("A certificate is not yet valid", e2);
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyExpiration(x509CertificateArr);
            this.tm.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.tm.getAcceptedIssuers();
        }
    }

    public ExpiryTrustOptions(TrustOptions trustOptions, TrustStoreConfig.CertificateExpiryPolicy certificateExpiryPolicy) {
        this.delegate = trustOptions;
        this.policy = certificateExpiryPolicy;
    }

    public TrustOptions unwrap() {
        return this.delegate;
    }

    public TrustOptions copy() {
        return this;
    }

    public TrustManagerFactory getTrustManagerFactory(Vertx vertx) throws Exception {
        final TrustManagerFactory trustManagerFactory = this.delegate.getTrustManagerFactory(vertx);
        return new TrustManagerFactory(new TrustManagerFactorySpi() { // from class: io.quarkus.tls.runtime.keystores.ExpiryTrustOptions.1
            @Override // javax.net.ssl.TrustManagerFactorySpi
            protected void engineInit(KeyStore keyStore) throws KeyStoreException {
                trustManagerFactory.init(keyStore);
            }

            @Override // javax.net.ssl.TrustManagerFactorySpi
            protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws InvalidAlgorithmParameterException {
                trustManagerFactory.init(managerFactoryParameters);
            }

            @Override // javax.net.ssl.TrustManagerFactorySpi
            protected TrustManager[] engineGetTrustManagers() {
                return ExpiryTrustOptions.this.getWrappedTrustManagers(trustManagerFactory.getTrustManagers());
            }
        }, trustManagerFactory.getProvider(), trustManagerFactory.getAlgorithm()) { // from class: io.quarkus.tls.runtime.keystores.ExpiryTrustOptions.2
        };
    }

    public Function<String, TrustManager[]> trustManagerMapper(final Vertx vertx) {
        return Unchecked.function(new UncheckedFunction<String, TrustManager[]>() { // from class: io.quarkus.tls.runtime.keystores.ExpiryTrustOptions.3
            public TrustManager[] apply(String str) throws Exception {
                return ExpiryTrustOptions.this.getWrappedTrustManagers((TrustManager[]) ExpiryTrustOptions.this.delegate.trustManagerMapper(vertx).apply(str));
            }
        });
    }

    private TrustManager[] getWrappedTrustManagers(TrustManager[] trustManagerArr) {
        TrustManager[] trustManagerArr2 = new TrustManager[trustManagerArr.length];
        for (int i = 0; i < trustManagerArr.length; i++) {
            TrustManager trustManager = trustManagerArr[i];
            if (trustManager instanceof X509TrustManager) {
                trustManagerArr2[i] = new ExpiryAwareX509TrustManager((X509TrustManager) trustManager);
            } else {
                trustManagerArr2[i] = trustManager;
            }
        }
        return trustManagerArr2;
    }
}
