package otoroshi.ssl;

import com.typesafe.sslconfig.ssl.SSLConfigSettings;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.StringReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import otoroshi.env.Env;
import otoroshi.utils.metrics.FakeHasMetrics$;
import otoroshi.utils.metrics.HasMetrics;
import otoroshi.utils.metrics.TimerMetrics;
import otoroshi.utils.syntax.implicits$;
import otoroshi.utils.syntax.implicits$BetterConfiguration$;
import otoroshi.utils.syntax.implicits$BetterSyntax$;
import play.api.ConfigLoader$;
import play.api.Logger;
import play.api.Logger$;
import play.api.MarkerContext$;
import scala.Array$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Some;
import scala.Tuple2;
import scala.collection.Iterable$;
import scala.collection.IterableLike;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.TraversableLike;
import scala.collection.TraversableOnce;
import scala.collection.concurrent.TrieMap;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.ArrayOps;
import scala.package$;
import scala.reflect.ClassTag$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Failure;
import scala.util.Left;
import scala.util.Right;
import scala.util.Success;
import scala.util.Try;
import scala.util.Try$;

/* compiled from: ssl.scala */
/* loaded from: input_file:otoroshi/ssl/DynamicSSLEngineProvider$.class */
public final class DynamicSSLEngineProvider$ {
    public static DynamicSSLEngineProvider$ MODULE$;
    private AtomicBoolean firstSetupDone;
    private AtomicReference<SSLContext> currentContext;
    private AtomicReference<SSLConfigSettings> currentSslConfigSettings;
    private final char[] EMPTY_PASSWORD;
    private final Logger logger;
    private final Pattern CERT_PATTERN;
    private final Pattern PRIVATE_KEY_PATTERN;
    private final Pattern PUBLIC_KEY_PATTERN;
    private final TrieMap<String, Cert> _certificates;
    private final TrieMap<BigInteger, OCSPCertProjection> _ocspProjectionCertificates;
    private final AtomicReference<Env> currentEnv;
    private final SSLContext defaultSslContext;
    private volatile byte bitmap$0;

    static {
        new DynamicSSLEngineProvider$();
    }

    private char[] EMPTY_PASSWORD() {
        return this.EMPTY_PASSWORD;
    }

    public Logger logger() {
        return this.logger;
    }

    private Pattern CERT_PATTERN() {
        return this.CERT_PATTERN;
    }

    public Pattern PRIVATE_KEY_PATTERN() {
        return this.PRIVATE_KEY_PATTERN;
    }

    public Pattern PUBLIC_KEY_PATTERN() {
        return this.PUBLIC_KEY_PATTERN;
    }

    public TrieMap<String, Cert> _certificates() {
        return this._certificates;
    }

    public TrieMap<BigInteger, OCSPCertProjection> _ocspProjectionCertificates() {
        return this._ocspProjectionCertificates;
    }

    public TrieMap<String, Cert> certificates() {
        return (TrieMap) _certificates().filter(tuple2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$certificates$1(tuple2));
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [otoroshi.ssl.DynamicSSLEngineProvider$] */
    private AtomicBoolean firstSetupDone$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 1)) == 0) {
                this.firstSetupDone = new AtomicBoolean(false);
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 1);
            }
        }
        return this.firstSetupDone;
    }

    private AtomicBoolean firstSetupDone() {
        return ((byte) (this.bitmap$0 & 1)) == 0 ? firstSetupDone$lzycompute() : this.firstSetupDone;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [otoroshi.ssl.DynamicSSLEngineProvider$] */
    private AtomicReference<SSLContext> currentContext$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 2)) == 0) {
                this.currentContext = new AtomicReference<>(setupContext(FakeHasMetrics$.MODULE$));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 2);
            }
        }
        return this.currentContext;
    }

    private AtomicReference<SSLContext> currentContext() {
        return ((byte) (this.bitmap$0 & 2)) == 0 ? currentContext$lzycompute() : this.currentContext;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [otoroshi.ssl.DynamicSSLEngineProvider$] */
    private AtomicReference<SSLConfigSettings> currentSslConfigSettings$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 4)) == 0) {
                this.currentSslConfigSettings = new AtomicReference<>(null);
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 4);
            }
        }
        return this.currentSslConfigSettings;
    }

    private AtomicReference<SSLConfigSettings> currentSslConfigSettings() {
        return ((byte) (this.bitmap$0 & 4)) == 0 ? currentSslConfigSettings$lzycompute() : this.currentSslConfigSettings;
    }

    private AtomicReference<Env> currentEnv() {
        return this.currentEnv;
    }

    private SSLContext defaultSslContext() {
        return this.defaultSslContext;
    }

    public boolean isFirstSetupDone() {
        return firstSetupDone().get();
    }

    public void setCurrentEnv(Env env) {
        currentEnv().set(env);
    }

    public Env getCurrentEnv() {
        return currentEnv().get();
    }

    private SSLContext setupContext(HasMetrics hasMetrics) {
        TimerMetrics metrics = hasMetrics.metrics();
        return (SSLContext) metrics.withTimer("otoroshi.core.tls.setup-global-context", metrics.withTimer$default$2(), () -> {
            TrieMap trieMap = (TrieMap) MODULE$._certificates().filter(tuple2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$setupContext$2(tuple2));
            });
            Option apply = Option$.MODULE$.apply(MODULE$.currentEnv().get());
            boolean unboxToBoolean = BoxesRunTime.unboxToBoolean(apply.flatMap(env -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env.configuration()), "otoroshi.ssl.trust.all", ConfigLoader$.MODULE$.booleanLoader(), ClassTag$.MODULE$.Boolean());
            }).getOrElse(() -> {
                return false;
            }));
            String str = (String) apply.flatMap(env2 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env2.configuration()), "otoroshi.ssl.cacert.path", ConfigLoader$.MODULE$.stringLoader(), ClassTag$.MODULE$.apply(String.class));
            }).map(str2 -> {
                return str2.replace("${JAVA_HOME}", System.getProperty("java.home")).replace("$JAVA_HOME", System.getProperty("java.home"));
            }).getOrElse(() -> {
                return new StringBuilder(21).append(System.getProperty("java.home")).append("/lib/security/cacerts").toString();
            });
            String str3 = (String) apply.flatMap(env3 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env3.configuration()), "otoroshi.ssl.cacert.password", ConfigLoader$.MODULE$.stringLoader(), ClassTag$.MODULE$.apply(String.class));
            }).getOrElse(() -> {
                return "changeit";
            });
            Option flatMap = apply.flatMap(env4 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env4.configuration()), "play.server.https.keyStoreDumpPath", ConfigLoader$.MODULE$.stringLoader(), ClassTag$.MODULE$.apply(String.class));
            });
            MODULE$.logger().debug(() -> {
                return "Setting up SSL Context ";
            }, MarkerContext$.MODULE$.NoMarker());
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            KeyStore createKeyStore = MODULE$.createKeyStore(trieMap.values().toSeq());
            flatMap.foreach(str4 -> {
                $anonfun$setupContext$12(flatMap, createKeyStore, str4);
                return BoxedUnit.UNIT;
            });
            KeyManagerFactory keyManagerFactory = (KeyManagerFactory) Try$.MODULE$.apply(() -> {
                return KeyManagerFactory.getInstance("X509");
            }).orElse(() -> {
                return Try$.MODULE$.apply(() -> {
                    return KeyManagerFactory.getInstance("SunX509");
                });
            }).get();
            keyManagerFactory.init(createKeyStore, MODULE$.EMPTY_PASSWORD());
            MODULE$.logger().debug(() -> {
                return "SSL Context init ...";
            }, MarkerContext$.MODULE$.NoMarker());
            sSLContext.init((KeyManager[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(keyManagerFactory.getKeyManagers())).map(keyManager -> {
                return KeyManagerCompatibility$.MODULE$.keyManager(() -> {
                    return trieMap.values().toSeq();
                }, false, (X509KeyManager) keyManager, (Env) apply.get());
            }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(KeyManager.class))), (TrustManager[]) apply.flatMap(env5 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env5.configuration()), "play.server.https.trustStore.noCaVerification", ConfigLoader$.MODULE$.booleanLoader(), ClassTag$.MODULE$.Boolean());
            }).map(obj -> {
                return $anonfun$setupContext$21(createKeyStore, str, str3, BoxesRunTime.unboxToBoolean(obj));
            }).getOrElse(() -> {
                return unboxToBoolean ? new TrustManager[]{new VeryNiceTrustManager(Nil$.MODULE$)} : MODULE$.createTrustStore(createKeyStore, str, str3);
            }), null);
            MODULE$.logger().debug(() -> {
                return new StringBuilder(26).append("SSL Context init done ! (").append(createKeyStore.size()).append(")").toString();
            }, MarkerContext$.MODULE$.NoMarker());
            SSLContext.setDefault(sSLContext);
            return sSLContext;
        });
    }

    public SSLContext setupSslContextFor(Seq<Cert> seq, Seq<Cert> seq2, boolean z, boolean z2, Env env) {
        return (SSLContext) env.metrics().withTimer("otoroshi.core.tls.setup-single-context", env.metrics().withTimer$default$2(), () -> {
            Seq<Cert> seq3 = (Seq) seq.filter(cert -> {
                return BoxesRunTime.boxToBoolean(cert.notRevoked());
            });
            Seq<Cert> seq4 = (Seq) seq2.filter(cert2 -> {
                return BoxesRunTime.boxToBoolean(cert2.notRevoked());
            });
            Option apply = Option$.MODULE$.apply(env);
            boolean unboxToBoolean = z ? true : BoxesRunTime.unboxToBoolean(apply.flatMap(env2 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env2.configuration()), "otoroshi.ssl.trust.all", ConfigLoader$.MODULE$.booleanLoader(), ClassTag$.MODULE$.Boolean());
            }).getOrElse(() -> {
                return false;
            }));
            String str = (String) apply.flatMap(env3 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env3.configuration()), "otoroshi.ssl.cacert.path", ConfigLoader$.MODULE$.stringLoader(), ClassTag$.MODULE$.apply(String.class));
            }).map(str2 -> {
                return str2.replace("${JAVA_HOME}", System.getProperty("java.home")).replace("$JAVA_HOME", System.getProperty("java.home"));
            }).getOrElse(() -> {
                return new StringBuilder(21).append(System.getProperty("java.home")).append("/lib/security/cacerts").toString();
            });
            String str3 = (String) apply.flatMap(env4 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env4.configuration()), "otoroshi.ssl.cacert.password", ConfigLoader$.MODULE$.stringLoader(), ClassTag$.MODULE$.apply(String.class));
            }).getOrElse(() -> {
                return "changeit";
            });
            MODULE$.logger().debug(() -> {
                return "Setting up SSL Context ";
            }, MarkerContext$.MODULE$.NoMarker());
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            KeyStore createKeyStore = MODULE$.createKeyStore(seq3);
            KeyManagerFactory keyManagerFactory = (KeyManagerFactory) Try$.MODULE$.apply(() -> {
                return KeyManagerFactory.getInstance("X509");
            }).orElse(() -> {
                return Try$.MODULE$.apply(() -> {
                    return KeyManagerFactory.getInstance("SunX509");
                });
            }).get();
            keyManagerFactory.init(createKeyStore, MODULE$.EMPTY_PASSWORD());
            MODULE$.logger().debug(() -> {
                return "SSL Context init ...";
            }, MarkerContext$.MODULE$.NoMarker());
            KeyManager[] keyManagerArr = (KeyManager[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(keyManagerFactory.getKeyManagers())).map(keyManager -> {
                return KeyManagerCompatibility$.MODULE$.keyManager(() -> {
                    return seq3;
                }, z2, (X509KeyManager) keyManager, (Env) apply.get());
            }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(KeyManager.class)));
            KeyStore createKeyStore2 = seq4.nonEmpty() ? MODULE$.createKeyStore(seq4) : createKeyStore;
            sSLContext.init(keyManagerArr, (TrustManager[]) apply.flatMap(env5 -> {
                return implicits$BetterConfiguration$.MODULE$.getOptionalWithFileSupport$extension(implicits$.MODULE$.BetterConfiguration(env5.configuration()), "play.server.https.trustStore.noCaVerification", ConfigLoader$.MODULE$.booleanLoader(), ClassTag$.MODULE$.Boolean());
            }).map(obj -> {
                return $anonfun$setupSslContextFor$19(createKeyStore2, str, str3, BoxesRunTime.unboxToBoolean(obj));
            }).getOrElse(() -> {
                return unboxToBoolean ? new TrustManager[]{new VeryNiceTrustManager(Nil$.MODULE$)} : MODULE$.createTrustStore(createKeyStore2, str, str3);
            }), null);
            MODULE$.logger().debug(() -> {
                return new StringBuilder(29).append("SSL Context init done ! (").append(createKeyStore.size()).append(" - ").append(createKeyStore2.size()).append(")").toString();
            }, MarkerContext$.MODULE$.NoMarker());
            SSLContext.setDefault(sSLContext);
            return sSLContext;
        });
    }

    public SSLContext current() {
        return currentContext().get();
    }

    public SSLConfigSettings sslConfigSettings() {
        return currentSslConfigSettings().get();
    }

    public Seq<String> getHostNames() {
        return ((TraversableOnce) ((TraversableLike) _certificates().values().filter(cert -> {
            return BoxesRunTime.boxToBoolean(cert.notRevoked());
        })).map(cert2 -> {
            return cert2.domain();
        }, Iterable$.MODULE$.canBuildFrom())).toSet().toSeq();
    }

    public SSLContext addCertificates(Seq<Cert> seq, Env env) {
        firstSetupDone().compareAndSet(false, true);
        ((IterableLike) seq.filter(cert -> {
            return BoxesRunTime.boxToBoolean(cert.notRevoked());
        })).foreach(cert2 -> {
            return MODULE$._certificates().put(cert2.id(), cert2);
        });
        SSLContext sSLContext = setupContext(env);
        currentContext().set(sSLContext);
        return sSLContext;
    }

    public SSLContext setCertificates(Seq<Cert> seq, Env env) {
        firstSetupDone().compareAndSet(false, true);
        _certificates().clear();
        ((IterableLike) seq.filter(cert -> {
            return BoxesRunTime.boxToBoolean(cert.notRevoked());
        })).foreach(cert2 -> {
            return MODULE$._certificates().put(cert2.id(), cert2);
        });
        ((IterableLike) seq.filter(cert3 -> {
            return BoxesRunTime.boxToBoolean($anonfun$setCertificates$3(cert3));
        })).foreach(cert4 -> {
            return MODULE$._ocspProjectionCertificates().put(cert4.serialNumberLng().get(), new OCSPCertProjection(cert4.revoked(), cert4.isValid(), cert4.expired(), (String) cert4.entityMetadata().getOrElse("revocationReason", () -> {
                return "VALID";
            }), cert4.from().toDate(), cert4.to().toDate()));
        });
        SSLContext sSLContext = setupContext(env);
        currentContext().set(sSLContext);
        return sSLContext;
    }

    public SSLContext forceUpdate(Env env) {
        firstSetupDone().compareAndSet(false, true);
        SSLContext sSLContext = setupContext(env);
        currentContext().set(sSLContext);
        return sSLContext;
    }

    public KeyStore createKeyStore(Seq<Cert> seq) {
        logger().debug(() -> {
            return "Creating keystore ...";
        }, MarkerContext$.MODULE$.NoMarker());
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        seq.foreach(cert -> {
            $anonfun$createKeyStore$2(keyStore, cert);
            return BoxedUnit.UNIT;
        });
        return keyStore;
    }

    public TrustManager[] createTrustStore(KeyStore keyStore, String str, String str2) {
        logger().debug(() -> {
            return "Creating truststore ...";
        }, MarkerContext$.MODULE$.NoMarker());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
        trustManagerFactory.init(keyStore);
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore2.load(new FileInputStream(str), str2.toCharArray());
        TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance("SunX509");
        trustManagerFactory2.init(keyStore2);
        return new TrustManager[]{new FakeTrustManager(new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((Object[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((Object[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(trustManagerFactory.getTrustManagers())).$plus$plus(new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(trustManagerFactory2.getTrustManagers())), Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(TrustManager.class))))).map(trustManager -> {
            return (X509TrustManager) trustManager;
        }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(X509TrustManager.class))))).toSeq())};
    }

    public Seq<X509Certificate> readCertificateChain(String str, String str2, boolean z) {
        if (z) {
            logger().debug(() -> {
                return new StringBuilder(23).append("Reading cert chain for ").append(str).toString();
            }, MarkerContext$.MODULE$.NoMarker());
        }
        Matcher matcher = CERT_PATTERN().matcher(str2);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Seq<X509Certificate> seq = Nil$.MODULE$;
        for (int i = 0; matcher.find(i); i = matcher.end()) {
            seq = (Seq) seq.$colon$plus((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(base64Decode(matcher.group(1)))), Seq$.MODULE$.canBuildFrom());
        }
        return seq;
    }

    public boolean readCertificateChain$default$3() {
        return true;
    }

    public Try<PrivateKey> _readPrivateKey(KeySpec keySpec) {
        return Try$.MODULE$.apply(() -> {
            return KeyFactory.getInstance("RSA").generatePrivate(keySpec);
        }).orElse(() -> {
            return Try$.MODULE$.apply(() -> {
                return KeyFactory.getInstance("EC").generatePrivate(keySpec);
            });
        }).orElse(() -> {
            return Try$.MODULE$.apply(() -> {
                return KeyFactory.getInstance("DSA").generatePrivate(keySpec);
            });
        });
    }

    public Either<String, KeySpec> _readPrivateKeySpec(String str, String str2, Option<String> option, boolean z) {
        if (z) {
            logger().debug(() -> {
                return new StringBuilder(24).append("Reading private key for ").append(str).toString();
            }, MarkerContext$.MODULE$.NoMarker());
        }
        Matcher matcher = PRIVATE_KEY_PATTERN().matcher(str2);
        if (matcher.find()) {
            byte[] base64Decode = base64Decode(matcher.group(1));
            return (Either) option.map(str3 -> {
                EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(base64Decode);
                SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(str3.toCharArray()));
                Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
                cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
                return package$.MODULE$.Right().apply(encryptedPrivateKeyInfo.getKeySpec(cipher));
            }).getOrElse(() -> {
                return package$.MODULE$.Right().apply(new PKCS8EncodedKeySpec(base64Decode));
            });
        }
        logger().debug(() -> {
            return new StringBuilder(26).append("[").append(str).append("] Found no private key :(").toString();
        }, MarkerContext$.MODULE$.NoMarker());
        return package$.MODULE$.Left().apply(new StringBuilder(23).append("[").append(str).append("] Found no private key").toString());
    }

    public boolean _readPrivateKeySpec$default$4() {
        return true;
    }

    public Either<String, PrivateKey> readPrivateKeyUniversal(String str, String str2, Option<String> option, boolean z) {
        Either<String, PrivateKey> apply;
        if (z) {
            logger().debug(() -> {
                return new StringBuilder(24).append("Reading private key for ").append(str).toString();
            }, MarkerContext$.MODULE$.NoMarker());
        }
        if (!PRIVATE_KEY_PATTERN().matcher(str2).find()) {
            logger().debug(() -> {
                return new StringBuilder(26).append("[").append(str).append("] Found no private key :(").toString();
            }, MarkerContext$.MODULE$.NoMarker());
            return package$.MODULE$.Left().apply(new StringBuilder(23).append("[").append(str).append("] Found no private key").toString());
        }
        boolean z2 = false;
        Success success = null;
        Try apply2 = Try$.MODULE$.apply(() -> {
            None$ none$;
            PEMParser pEMParser = new PEMParser(new StringReader(str2));
            JcaPEMKeyConverter provider = new JcaPEMKeyConverter().setProvider("BC");
            boolean z3 = false;
            PEMEncryptedKeyPair pEMEncryptedKeyPair = null;
            Object readObject = pEMParser.readObject();
            if (readObject instanceof PEMEncryptedKeyPair) {
                z3 = true;
                pEMEncryptedKeyPair = (PEMEncryptedKeyPair) readObject;
                if (option.isEmpty()) {
                    none$ = None$.MODULE$;
                    return none$;
                }
            }
            if (z3 && option.isDefined()) {
                none$ = implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax(provider.getKeyPair(pEMEncryptedKeyPair.decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(((String) option.get()).toCharArray()))).getPrivate()));
            } else if (readObject instanceof PEMKeyPair) {
                none$ = implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax(provider.getKeyPair((PEMKeyPair) readObject).getPrivate()));
            } else {
                none$ = None$.MODULE$;
            }
            return none$;
        });
        if (!(apply2 instanceof Failure)) {
            if (apply2 instanceof Success) {
                z2 = true;
                success = (Success) apply2;
                if (None$.MODULE$.equals((Option) success.value())) {
                    apply = _readPrivateKeySpec(str, str2, option, z).flatMap(keySpec -> {
                        Left apply3;
                        Left either = MODULE$._readPrivateKey(keySpec).toEither();
                        if (either instanceof Left) {
                            apply3 = package$.MODULE$.Left().apply(((Throwable) either.value()).getMessage());
                        } else {
                            if (!(either instanceof Right)) {
                                throw new MatchError(either);
                            }
                            apply3 = package$.MODULE$.Right().apply((PrivateKey) ((Right) either).value());
                        }
                        return apply3;
                    });
                }
            }
            if (z2) {
                Some some = (Option) success.value();
                if (some instanceof Some) {
                    apply = package$.MODULE$.Right().apply((PrivateKey) some.value());
                }
            }
            throw new MatchError(apply2);
        }
        apply = _readPrivateKeySpec(str, str2, option, z).flatMap(keySpec2 -> {
            Left apply3;
            Left either = MODULE$._readPrivateKey(keySpec2).toEither();
            if (either instanceof Left) {
                apply3 = package$.MODULE$.Left().apply(((Throwable) either.value()).getMessage());
            } else {
                if (!(either instanceof Right)) {
                    throw new MatchError(either);
                }
                apply3 = package$.MODULE$.Right().apply((PrivateKey) ((Right) either).value());
            }
            return apply3;
        });
        return apply;
    }

    public boolean readPrivateKeyUniversal$default$4() {
        return true;
    }

    public boolean isSelfSigned(X509Certificate x509Certificate) {
        return BoxesRunTime.unboxToBoolean(Try$.MODULE$.apply(() -> {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        }).recover(new DynamicSSLEngineProvider$$anonfun$isSelfSigned$2()).get());
    }

    public byte[] base64Decode(String str) {
        return Base64.getMimeDecoder().decode(str.getBytes(StandardCharsets.US_ASCII));
    }

    public SSLEngine createSSLEngine(ClientAuth clientAuth, Option<Seq<String>> option, Option<Seq<String>> option2) {
        SSLContext sSLContext = currentContext().get();
        logger().debug(() -> {
            return new StringBuilder(23).append("Create SSLEngine from: ").append(sSLContext).toString();
        }, MarkerContext$.MODULE$.NoMarker());
        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
        Seq seq = new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(createSSLEngine.getEnabledCipherSuites())).toSeq();
        Seq seq2 = new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(createSSLEngine.getEnabledProtocols())).toSeq();
        option.foreach(seq3 -> {
            $anonfun$createSSLEngine$2(createSSLEngine, seq3);
            return BoxedUnit.UNIT;
        });
        option2.foreach(seq4 -> {
            $anonfun$createSSLEngine$3(createSSLEngine, seq4);
            return BoxedUnit.UNIT;
        });
        final CustomSSLEngine customSSLEngine = new CustomSSLEngine(createSSLEngine);
        SSLParameters sSLParameters = new SSLParameters();
        ArrayList arrayList = new ArrayList();
        if (ClientAuth$Want$.MODULE$.equals(clientAuth)) {
            customSSLEngine.setWantClientAuth(true);
            sSLParameters.setWantClientAuth(true);
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else if (ClientAuth$Need$.MODULE$.equals(clientAuth)) {
            customSSLEngine.setNeedClientAuth(true);
            sSLParameters.setNeedClientAuth(true);
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        } else {
            BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
        }
        arrayList.add(new SNIMatcher(customSSLEngine) { // from class: otoroshi.ssl.DynamicSSLEngineProvider$$anon$2
            private final CustomSSLEngine engine$1;

            @Override // javax.net.ssl.SNIMatcher
            public boolean matches(SNIServerName sNIServerName) {
                if (!(sNIServerName instanceof SNIHostName)) {
                    DynamicSSLEngineProvider$.MODULE$.logger().debug(() -> {
                        return new StringBuilder(18).append("Not a hostname :( ").append(sNIServerName).toString();
                    }, MarkerContext$.MODULE$.NoMarker());
                    BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
                    return true;
                }
                String asciiName = ((SNIHostName) sNIServerName).getAsciiName();
                DynamicSSLEngineProvider$.MODULE$.logger().debug(() -> {
                    return new StringBuilder(22).append("createSSLEngine - for ").append(asciiName).toString();
                }, MarkerContext$.MODULE$.NoMarker());
                this.engine$1.setEngineHostName(asciiName);
                BoxedUnit boxedUnit5 = BoxedUnit.UNIT;
                return true;
            }

            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(0);
                this.engine$1 = customSSLEngine;
            }
        });
        sSLParameters.setSNIMatchers(arrayList);
        option.orElse(() -> {
            return new Some(seq);
        }).foreach(seq5 -> {
            $anonfun$createSSLEngine$5(sSLParameters, seq5);
            return BoxedUnit.UNIT;
        });
        option2.orElse(() -> {
            return new Some(seq2);
        }).foreach(seq6 -> {
            $anonfun$createSSLEngine$7(sSLParameters, seq6);
            return BoxedUnit.UNIT;
        });
        customSSLEngine.setSSLParameters(sSLParameters);
        return customSSLEngine;
    }

    public static final /* synthetic */ boolean $anonfun$certificates$1(Tuple2 tuple2) {
        return ((Cert) tuple2._2()).notRevoked();
    }

    public static final /* synthetic */ boolean $anonfun$setupContext$2(Tuple2 tuple2) {
        return ((Cert) tuple2._2()).notRevoked();
    }

    public static final /* synthetic */ void $anonfun$setupContext$12(Option option, KeyStore keyStore, String str) {
        MODULE$.logger().debug(() -> {
            return new StringBuilder(20).append("Dumping keystore at ").append(option).toString();
        }, MarkerContext$.MODULE$.NoMarker());
        keyStore.store(new FileOutputStream(str), MODULE$.EMPTY_PASSWORD());
    }

    public static final /* synthetic */ TrustManager[] $anonfun$setupContext$21(KeyStore keyStore, String str, String str2, boolean z) {
        TrustManager[] createTrustStore;
        if (true == z) {
            createTrustStore = new TrustManager[]{noCATrustManager$.MODULE$};
        } else {
            if (false != z) {
                throw new MatchError(BoxesRunTime.boxToBoolean(z));
            }
            createTrustStore = MODULE$.createTrustStore(keyStore, str, str2);
        }
        return createTrustStore;
    }

    public static final /* synthetic */ TrustManager[] $anonfun$setupSslContextFor$19(KeyStore keyStore, String str, String str2, boolean z) {
        TrustManager[] createTrustStore;
        if (true == z) {
            createTrustStore = new TrustManager[]{noCATrustManager$.MODULE$};
        } else {
            if (false != z) {
                throw new MatchError(BoxesRunTime.boxToBoolean(z));
            }
            createTrustStore = MODULE$.createTrustStore(keyStore, str, str2);
        }
        return createTrustStore;
    }

    public static final /* synthetic */ boolean $anonfun$setCertificates$3(Cert cert) {
        return cert.serialNumberLng().isDefined() && CertParentHelper$.MODULE$.fromOtoroshiRootCa((X509Certificate) cert.certificate().get(), CertParentHelper$.MODULE$.fromOtoroshiRootCa$default$2());
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$3(KeyStore keyStore, X509Certificate x509Certificate) {
        String sb = new StringBuilder(3).append("ca-").append(x509Certificate.getSerialNumber().toString(16)).toString();
        if (keyStore.containsAlias(sb)) {
            return;
        }
        keyStore.setCertificateEntry(sb, x509Certificate);
    }

    public static final /* synthetic */ boolean $anonfun$createKeyStore$8(KeyStore keyStore, String str) {
        return !keyStore.containsAlias(str);
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$4(Cert cert, KeyStore keyStore, X509Certificate x509Certificate) {
        new StringBuilder(8).append("trusted-").append(x509Certificate.getSerialNumber().toString(16)).toString();
        Seq<X509Certificate> readCertificateChain = MODULE$.readCertificateChain(cert.domain(), cert.chain(), MODULE$.readCertificateChain$default$3());
        String str = (String) Try$.MODULE$.apply(() -> {
            return (String) SSLImplicits$EnhancedX509Certificate$.MODULE$.maybeDomain$extension(SSLImplicits$.MODULE$.EnhancedX509Certificate((X509Certificate) readCertificateChain.head())).getOrElse(() -> {
                return cert.domain();
            });
        }).toOption().getOrElse(() -> {
            return cert.domain();
        });
        if (!keyStore.containsAlias(str)) {
            keyStore.setCertificateEntry(str, x509Certificate);
        }
        ((IterableLike) cert.sans().filter(str2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$createKeyStore$8(keyStore, str2));
        })).foreach(str3 -> {
            keyStore.setCertificateEntry(str3, x509Certificate);
            return BoxedUnit.UNIT;
        });
    }

    public static final /* synthetic */ boolean $anonfun$createKeyStore$19(KeyStore keyStore, String str) {
        return !keyStore.containsAlias(str);
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$20(KeyStore keyStore, PrivateKey privateKey, Cert cert, Seq seq, String str) {
        keyStore.setKeyEntry(str, privateKey, ((String) cert.password().getOrElse(() -> {
            return "";
        })).toCharArray(), (Certificate[]) seq.toArray(ClassTag$.MODULE$.apply(Certificate.class)));
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$22(KeyStore keyStore, X509Certificate x509Certificate) {
        String sb = new StringBuilder(3).append("ca-").append(x509Certificate.getSerialNumber().toString(16)).toString();
        if (keyStore.containsAlias(sb)) {
            return;
        }
        keyStore.setCertificateEntry(sb, x509Certificate);
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$12(Cert cert, KeyStore keyStore, X509Certificate x509Certificate, PrivateKey privateKey) {
        Seq<X509Certificate> readCertificateChain = MODULE$.readCertificateChain(cert.domain(), cert.chain(), MODULE$.readCertificateChain$default$3());
        if (readCertificateChain.isEmpty()) {
            MODULE$.logger().error(() -> {
                return new StringBuilder(56).append("[").append(cert.id()).append("] Certificate file does not contain any certificates :(").toString();
            }, MarkerContext$.MODULE$.NoMarker());
            return;
        }
        MODULE$.logger().debug(() -> {
            return new StringBuilder(32).append("Adding entry for ").append(cert.domain()).append(" with chain of ").append(readCertificateChain.size()).toString();
        }, MarkerContext$.MODULE$.NoMarker());
        keyStore.setKeyEntry(cert.client() ? new StringBuilder(12).append("client-cert-").append(x509Certificate.getSerialNumber().toString(16)).toString() : (String) Try$.MODULE$.apply(() -> {
            return (String) SSLImplicits$EnhancedX509Certificate$.MODULE$.maybeDomain$extension(SSLImplicits$.MODULE$.EnhancedX509Certificate((X509Certificate) readCertificateChain.head())).getOrElse(() -> {
                return cert.domain();
            });
        }).toOption().getOrElse(() -> {
            return cert.domain();
        }), privateKey, ((String) cert.password().getOrElse(() -> {
            return "";
        })).toCharArray(), (Certificate[]) readCertificateChain.toArray(ClassTag$.MODULE$.apply(Certificate.class)));
        if (!cert.client()) {
            ((IterableLike) cert.sans().filter(str -> {
                return BoxesRunTime.boxToBoolean($anonfun$createKeyStore$19(keyStore, str));
            })).foreach(str2 -> {
                $anonfun$createKeyStore$20(keyStore, privateKey, cert, readCertificateChain, str2);
                return BoxedUnit.UNIT;
            });
        }
        ((IterableLike) readCertificateChain.tail()).foreach(x509Certificate2 -> {
            $anonfun$createKeyStore$22(keyStore, x509Certificate2);
            return BoxedUnit.UNIT;
        });
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$10(Cert cert, KeyStore keyStore, X509Certificate x509Certificate) {
        Failure apply = Try$.MODULE$.apply(() -> {
            MODULE$.readPrivateKeyUniversal(cert.domain(), cert.privateKey(), cert.password(), MODULE$.readPrivateKeyUniversal$default$4()).foreach(privateKey -> {
                $anonfun$createKeyStore$12(cert, keyStore, x509Certificate, privateKey);
                return BoxedUnit.UNIT;
            });
        });
        if (apply instanceof Failure) {
            Throwable exception = apply.exception();
            MODULE$.logger().error(() -> {
                return new StringBuilder(36).append("Error while handling certificate: ").append(cert.name()).append(": ").append(exception.getMessage()).toString();
            }, MarkerContext$.MODULE$.NoMarker());
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else {
            if (!(apply instanceof Success)) {
                throw new MatchError(apply);
            }
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        }
    }

    public static final /* synthetic */ void $anonfun$createKeyStore$2(KeyStore keyStore, Cert cert) {
        if (cert.ca()) {
            cert.certificate().foreach(x509Certificate -> {
                $anonfun$createKeyStore$3(keyStore, x509Certificate);
                return BoxedUnit.UNIT;
            });
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else if (cert.privateKey().trim().isEmpty()) {
            cert.certificate().foreach(x509Certificate2 -> {
                $anonfun$createKeyStore$4(cert, keyStore, x509Certificate2);
                return BoxedUnit.UNIT;
            });
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        } else {
            cert.certificate().foreach(x509Certificate3 -> {
                $anonfun$createKeyStore$10(cert, keyStore, x509Certificate3);
                return BoxedUnit.UNIT;
            });
            BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
        }
    }

    public static final /* synthetic */ void $anonfun$createSSLEngine$2(SSLEngine sSLEngine, Seq seq) {
        sSLEngine.setEnabledCipherSuites((String[]) seq.toArray(ClassTag$.MODULE$.apply(String.class)));
    }

    public static final /* synthetic */ void $anonfun$createSSLEngine$3(SSLEngine sSLEngine, Seq seq) {
        sSLEngine.setEnabledProtocols((String[]) seq.toArray(ClassTag$.MODULE$.apply(String.class)));
    }

    public static final /* synthetic */ void $anonfun$createSSLEngine$5(SSLParameters sSLParameters, Seq seq) {
        sSLParameters.setCipherSuites((String[]) seq.toArray(ClassTag$.MODULE$.apply(String.class)));
    }

    public static final /* synthetic */ void $anonfun$createSSLEngine$7(SSLParameters sSLParameters, Seq seq) {
        sSLParameters.setProtocols((String[]) seq.toArray(ClassTag$.MODULE$.apply(String.class)));
    }

    private DynamicSSLEngineProvider$() {
        MODULE$ = this;
        Security.addProvider(new BouncyCastleProvider());
        this.EMPTY_PASSWORD = Array$.MODULE$.emptyCharArray();
        this.logger = Logger$.MODULE$.apply("otoroshi-ssl-provider");
        this.CERT_PATTERN = Pattern.compile("-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*CERTIFICATE[^-]*-+", 2);
        this.PRIVATE_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", 2);
        this.PUBLIC_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PUBLIC\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PUBLIC\\s+KEY[^-]*-+", 2);
        this._certificates = new TrieMap<>();
        this._ocspProjectionCertificates = new TrieMap<>();
        this.currentEnv = new AtomicReference<>(null);
        this.defaultSslContext = SSLContext.getDefault();
    }
}
