package org.neo4j.ssl;

import io.netty.channel.Channel;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:org/neo4j/ssl/SslPolicy.class */
public class SslPolicy {
    private final PrivateKey privateKey;
    private final X509Certificate[] keyCertChain;
    private final List<String> ciphers;
    private final List<String> tlsVersions;
    private final ClientAuth clientAuth;
    private final TrustManagerFactory trustManagerFactory;

    public SslPolicy(PrivateKey privateKey, X509Certificate[] x509CertificateArr, List<String> list, List<String> list2, ClientAuth clientAuth, TrustManagerFactory trustManagerFactory) {
        this.privateKey = privateKey;
        this.keyCertChain = x509CertificateArr;
        this.tlsVersions = list;
        this.ciphers = list2;
        this.clientAuth = clientAuth;
        this.trustManagerFactory = trustManagerFactory;
    }

    public SslContext nettyServerContext() throws SSLException {
        return SslContextBuilder.forServer(this.privateKey, this.keyCertChain).clientAuth(forNetty(this.clientAuth)).ciphers(this.ciphers).trustManager(this.trustManagerFactory).build();
    }

    public SslContext nettyClientContext() throws SSLException {
        return SslContextBuilder.forClient().keyManager(this.privateKey, this.keyCertChain).ciphers(this.ciphers).trustManager(this.trustManagerFactory).build();
    }

    private io.netty.handler.ssl.ClientAuth forNetty(ClientAuth clientAuth) {
        switch (clientAuth) {
            case NONE:
                return io.netty.handler.ssl.ClientAuth.NONE;
            case OPTIONAL:
                return io.netty.handler.ssl.ClientAuth.OPTIONAL;
            case REQUIRE:
                return io.netty.handler.ssl.ClientAuth.REQUIRE;
            default:
                throw new IllegalArgumentException("Cannot translate to netty equivalent: " + clientAuth);
        }
    }

    public SslHandler nettyServerHandler(Channel channel) throws SSLException {
        return makeNettyHandler(channel, nettyServerContext());
    }

    public SslHandler nettyClientHandler(Channel channel) throws SSLException {
        return makeNettyHandler(channel, nettyClientContext());
    }

    private SslHandler makeNettyHandler(Channel channel, SslContext sslContext) {
        SSLEngine newEngine = sslContext.newEngine(channel.alloc());
        if (this.tlsVersions != null) {
            newEngine.setEnabledProtocols((String[]) this.tlsVersions.toArray(new String[this.tlsVersions.size()]));
        }
        return new SslHandler(newEngine);
    }

    public PrivateKey privateKey() {
        return this.privateKey;
    }

    public X509Certificate[] certificateChain() {
        return this.keyCertChain;
    }

    public KeyStore getKeyStore(char[] cArr, char[] cArr2) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, cArr);
            keyStore.setKeyEntry("key", this.privateKey, cArr2, this.keyCertChain);
            return keyStore;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public TrustManagerFactory getTrustManagerFactory() {
        return this.trustManagerFactory;
    }

    public List<String> getCipherSuites() {
        return this.ciphers;
    }

    public List<String> getTlsVersions() {
        return this.tlsVersions;
    }

    public ClientAuth getClientAuth() {
        return this.clientAuth;
    }

    public String toString() {
        return "SslPolicy{keyCertChain=" + describeCertChain() + ", ciphers=" + this.ciphers + ", tlsVersions=" + this.tlsVersions + ", clientAuth=" + this.clientAuth + '}';
    }

    private String describeCertificate(X509Certificate x509Certificate) {
        return "Subject: " + x509Certificate.getSubjectDN() + ", Issuer: " + x509Certificate.getIssuerDN();
    }

    private String describeCertChain() {
        return String.join(", ", (List) Arrays.stream(this.keyCertChain).map(this::describeCertificate).collect(Collectors.toList()));
    }
}
