package com.wultra.core.rest.client.base.util;

import com.wultra.core.rest.client.base.RestClientConfiguration;
import com.wultra.core.rest.client.base.RestClientException;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ResourceUtils;

/* loaded from: input_file:com/wultra/core/rest/client/base/util/SslUtils.class */
public class SslUtils {
    private static final Logger logger = LoggerFactory.getLogger(SslUtils.class);

    private SslUtils() {
    }

    public static SslContext prepareSslContext(RestClientConfiguration restClientConfiguration) throws RestClientException {
        FileInputStream fileInputStream;
        try {
            SslContextBuilder forClient = SslContextBuilder.forClient();
            if (restClientConfiguration.isAcceptInvalidSslCertificate()) {
                return forClient.trustManager(InsecureTrustManagerFactory.INSTANCE).build();
            }
            if (!restClientConfiguration.isCertificateAuthEnabled()) {
                return null;
            }
            if (restClientConfiguration.useCustomKeyStore()) {
                if (restClientConfiguration.getKeyStorePassword() == null) {
                    throw new RestClientException("Keystore password is not configured");
                }
                if (restClientConfiguration.getKeyAlias() == null) {
                    throw new RestClientException("Keystore key alias is not configured");
                }
                if (restClientConfiguration.getKeyPassword() == null) {
                    throw new RestClientException("Keystore key password is not configured");
                }
                char[] charArray = restClientConfiguration.getKeyStorePassword().toCharArray();
                String keyAlias = restClientConfiguration.getKeyAlias();
                char[] charArray2 = restClientConfiguration.getKeyPassword().toCharArray();
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                if (restClientConfiguration.getKeyStoreBytes() != null) {
                    keyStore.load(new ByteArrayInputStream(restClientConfiguration.getKeyStoreBytes()), charArray);
                    logger.debug("Loaded key store from the provided byte data");
                } else {
                    if (restClientConfiguration.getKeyStoreLocation() == null) {
                        throw new RestClientException("Keystore location is not configured");
                    }
                    File file = ResourceUtils.getFile(restClientConfiguration.getKeyStoreLocation());
                    if (!file.exists() || !file.canRead()) {
                        throw new RestClientException("Keystore is not accessible: " + file.getAbsolutePath());
                    }
                    fileInputStream = new FileInputStream(file);
                    try {
                        keyStore.load(fileInputStream, charArray);
                        logger.debug("Loaded key store from the configured file location");
                        fileInputStream.close();
                    } finally {
                    }
                }
                PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, charArray2);
                Certificate[] certificateChain = keyStore.getCertificateChain(keyAlias);
                if (certificateChain == null) {
                    throw new RestClientException("Invalid or missing key with alias: " + restClientConfiguration.getKeyAlias());
                }
                Stream stream = Arrays.stream(certificateChain);
                Class<X509Certificate> cls = X509Certificate.class;
                Objects.requireNonNull(X509Certificate.class);
                forClient.keyManager(privateKey, restClientConfiguration.getKeyStorePassword(), (X509Certificate[]) stream.map((v1) -> {
                    return r1.cast(v1);
                }).toList().toArray(new X509Certificate[certificateChain.length]));
            }
            if (restClientConfiguration.useCustomTrustStore()) {
                char[] charArray3 = restClientConfiguration.getTrustStorePassword().toCharArray();
                KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
                if (restClientConfiguration.getTrustStoreBytes() != null) {
                    keyStore2.load(new ByteArrayInputStream(restClientConfiguration.getTrustStoreBytes()), charArray3);
                    logger.debug("Loaded trust store from the provided byte data");
                } else {
                    if (restClientConfiguration.getTrustStoreLocation() == null) {
                        throw new RestClientException("Truststore location is not configured");
                    }
                    File file2 = ResourceUtils.getFile(restClientConfiguration.getTrustStoreLocation());
                    if (!file2.exists() || !file2.canRead()) {
                        throw new RestClientException("Truststore is not accessible: " + file2);
                    }
                    if (restClientConfiguration.getTrustStorePassword() == null) {
                        throw new RestClientException("Truststore password is not configured");
                    }
                    fileInputStream = new FileInputStream(file2);
                    try {
                        keyStore2.load(fileInputStream, charArray3);
                        logger.debug("Loaded trust store from the configured file location");
                        fileInputStream.close();
                    } finally {
                    }
                }
                ArrayList arrayList = new ArrayList();
                X509Certificate[] x509CertificateArr = (X509Certificate[]) Collections.list(keyStore2.aliases()).stream().filter(str -> {
                    try {
                        return keyStore2.isCertificateEntry(str);
                    } catch (KeyStoreException e) {
                        arrayList.add(e);
                        return false;
                    }
                }).map(str2 -> {
                    try {
                        return (X509Certificate) keyStore2.getCertificate(str2);
                    } catch (KeyStoreException e) {
                        arrayList.add(e);
                        return null;
                    }
                }).toArray(i -> {
                    return new X509Certificate[i];
                });
                if (!arrayList.isEmpty()) {
                    throw new RestClientException("Invalid truststore data provided: " + arrayList);
                }
                forClient.trustManager(x509CertificateArr);
            }
            return forClient.build();
        } catch (IOException | GeneralSecurityException e) {
            throw new RestClientException("SSL configuration failed, error: " + e.getMessage());
        }
    }
}
