package otoroshi.ssl;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
import otoroshi.env.Env;
import otoroshi.utils.RegexPool;
import scala.Option;
import scala.Tuple3;
import scala.Unit$;

/* loaded from: input_file:otoroshi/ssl/X509KeyManagerSnitch.class */
public class X509KeyManagerSnitch extends X509ExtendedKeyManager {
    private X509KeyManager manager;
    public static Cache<String, Tuple3<SSLSession, PrivateKey, X509Certificate[]>> _sslSessions = Caffeine.newBuilder().maximumSize(1000).expireAfterWrite(5, TimeUnit.SECONDS).build();
    private Cache<String, Cert> cache = Caffeine.newBuilder().maximumSize(100).expireAfterWrite(20, TimeUnit.SECONDS).build();

    public X509KeyManagerSnitch(X509KeyManager x509KeyManager) {
        this.manager = x509KeyManager;
    }

    private void debug(String str) {
        DynamicSSLEngineProvider.logger().underlyingLogger().debug(str);
    }

    private void error(String str, Throwable th) {
        DynamicSSLEngineProvider.logger().underlyingLogger().error(str, th);
    }

    private void info(String str) {
        DynamicSSLEngineProvider.logger().underlyingLogger().info(str);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        debug("X509KeyManagerSnitch.getClientAliases(" + str + ")");
        return this.manager.getClientAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        debug("X509KeyManagerSnitch.chooseClientAlias(" + strArr + ")");
        return this.manager.chooseClientAlias(strArr, principalArr, socket);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        debug("X509KeyManagerSnitch.chooseEngineClientAlias(" + strArr + ")");
        return chooseClientAlias(strArr, principalArr, (Socket) null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        debug("X509KeyManagerSnitch.getServerAliases(" + str + ")");
        return this.manager.getServerAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        debug("X509KeyManagerSnitch.chooseServerAlias(" + str + ")");
        return this.manager.chooseServerAlias(str, principalArr, socket);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        debug("X509KeyManagerSnitch.getCertificateChain(" + str + ")");
        if (!str.startsWith("tmp-gen-")) {
            return this.manager.getCertificateChain(str);
        }
        Cert cert = (Cert) this.cache.getIfPresent(str);
        return cert != null ? cert.certificatesChain() : this.manager.getCertificateChain(str.replace("tmp-gen-", ""));
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        debug("X509KeyManagerSnitch.getPrivateKey(" + str + ")");
        if (!str.startsWith("tmp-gen-")) {
            return this.manager.getPrivateKey(str);
        }
        Cert cert = (Cert) this.cache.getIfPresent(str);
        return cert != null ? cert.cryptoKeyPair().getPrivate() : this.manager.getPrivateKey(str.replace("tmp-gen-", ""));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        Option<String> computeKey = SSLSessionJavaHelper.computeKey(sSLEngine.getHandshakeSession());
        try {
            String peerHost = sSLEngine.getPeerHost();
            if (peerHost == null) {
                throw new NoHostnameFoundException();
            }
            String str2 = "tmp-gen-" + peerHost;
            String[] serverAliases = this.manager.getServerAliases(str, principalArr);
            debug("host: " + peerHost + ", aliases: " + (serverAliases != null ? serverAliases.length : 0));
            if (peerHost == null || serverAliases == null) {
                Cert cert = (Cert) this.cache.getIfPresent(str2);
                Env currentEnv = DynamicSSLEngineProvider.getCurrentEnv();
                if (cert != null) {
                    computeKey.foreach(str3 -> {
                        _sslSessions.put(str3, Tuple3.apply(sSLEngine.getSession(), cert.cryptoKeyPair().getPrivate(), cert.certificatesChain()));
                        return Unit$.MODULE$;
                    });
                    return str2;
                }
                if (currentEnv == null || !currentEnv.datastores().globalConfigDataStore().latestSafe().exists(globalConfig -> {
                    return Boolean.valueOf(globalConfig.autoCert().enabled());
                })) {
                    if (peerHost == null) {
                        throw new NoHostnameFoundException();
                    }
                    if (serverAliases == null) {
                        throw new NoAliasesFoundException();
                    }
                    throw new NoHostFoundException();
                }
                info("dyn stuff enabled");
                Option<Cert> jautoGenerateCertificateForDomain = currentEnv.datastores().certificatesDataStore().jautoGenerateCertificateForDomain(peerHost, currentEnv);
                if (!jautoGenerateCertificateForDomain.isDefined()) {
                    info("no autogen cert");
                    throw new NoCertificateFoundException(peerHost);
                }
                info("got autogen cert " + str2);
                Cert cert2 = (Cert) jautoGenerateCertificateForDomain.get();
                this.cache.put(str2, cert2);
                if (!cert2.subject().contains(SSLSessionJavaHelper.NotAllowed())) {
                    DynamicSSLEngineProvider.addCertificates(jautoGenerateCertificateForDomain.toList(), currentEnv);
                }
                computeKey.foreach(str4 -> {
                    _sslSessions.put(str4, Tuple3.apply(sSLEngine.getSession(), cert2.cryptoKeyPair().getPrivate(), cert2.certificatesChain()));
                    return Unit$.MODULE$;
                });
                return str2;
            }
            List asList = Arrays.asList(serverAliases);
            Optional findFirst = asList.stream().findFirst();
            Optional findFirst2 = asList.stream().filter(str5 -> {
                return RegexPool.apply(str5).matches(peerHost);
            }).findFirst();
            if (findFirst2.isPresent()) {
                String str6 = (String) findFirst2.orElse((String) findFirst.get());
                debug("chooseEngineServerAlias: " + peerHost + " - " + findFirst + " - " + str6);
                computeKey.foreach(str7 -> {
                    _sslSessions.put(str7, Tuple3.apply(sSLEngine.getSession(), this.manager.getPrivateKey(str6), this.manager.getCertificateChain(str6)));
                    return Unit$.MODULE$;
                });
                return str6;
            }
            Cert cert3 = (Cert) this.cache.getIfPresent(str2);
            if (cert3 != null) {
                computeKey.foreach(str8 -> {
                    _sslSessions.put(str8, Tuple3.apply(sSLEngine.getSession(), cert3.cryptoKeyPair().getPrivate(), cert3.certificatesChain()));
                    return Unit$.MODULE$;
                });
                return str2;
            }
            Env currentEnv2 = DynamicSSLEngineProvider.getCurrentEnv();
            if (currentEnv2 == null) {
                throw new NoCertificateFoundException(peerHost);
            }
            Option<Cert> jautoGenerateCertificateForDomain2 = currentEnv2.datastores().certificatesDataStore().jautoGenerateCertificateForDomain(peerHost, currentEnv2);
            if (!jautoGenerateCertificateForDomain2.isDefined()) {
                throw new NoCertificateFoundException(peerHost);
            }
            Cert cert4 = (Cert) jautoGenerateCertificateForDomain2.get();
            this.cache.put(str2, cert4);
            if (!cert4.subject().contains(SSLSessionJavaHelper.NotAllowed())) {
                DynamicSSLEngineProvider.addCertificates(jautoGenerateCertificateForDomain2.toList(), currentEnv2);
            }
            computeKey.foreach(str9 -> {
                _sslSessions.put(str9, Tuple3.apply(sSLEngine.getSession(), cert4.cryptoKeyPair().getPrivate(), cert4.certificatesChain()));
                return Unit$.MODULE$;
            });
            return str2;
        } catch (Exception e) {
            error("Error while chosing server alias", e);
            return "--";
        }
    }
}
