package io.helidon.reactive.webserver;

import io.helidon.common.LazyValue;
import io.helidon.common.pki.KeyConfig;
import io.helidon.config.Config;
import io.helidon.config.DeprecatedConfig;
import io.helidon.config.metadata.Configured;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:io/helidon/reactive/webserver/WebServerTls.class */
public final class WebServerTls {
    private static final String PROTOCOL = "TLS";
    private static final LazyValue<Random> RANDOM = LazyValue.create(SecureRandom::new);
    public static final String CLIENT_X509_CERTIFICATE = WebServerTls.class.getName() + ".client-x509-certificate";
    private final Set<String> enabledTlsProtocols;
    private final Set<String> cipherSuite;
    private final SSLContext sslContext;
    private final boolean enabled;
    private final ClientAuthentication clientAuth;

    @Configured
    /* loaded from: input_file:io/helidon/reactive/webserver/WebServerTls$Builder.class */
    public static class Builder implements io.helidon.common.Builder<Builder, WebServerTls> {
        private SSLContext sslContext;
        private KeyConfig privateKeyConfig;
        private KeyConfig trustConfig;
        private long sessionCacheSize;
        private long sessionTimeoutSeconds;
        private boolean enabled;
        private Boolean explicitEnabled;
        private final Set<String> enabledTlsProtocols = new HashSet();
        private Set<String> cipherSuite = Set.of();
        private ClientAuthentication clientAuth = ClientAuthentication.NONE;

        private Builder() {
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public WebServerTls m54build() {
            if (!(null == this.explicitEnabled ? this.enabled : this.explicitEnabled.booleanValue())) {
                this.sslContext = null;
                return new WebServerTls(this);
            }
            if (null == this.sslContext) {
                this.sslContext = newSSLContext();
            }
            return new WebServerTls(this);
        }

        public Builder config(Config config) {
            config.get("enabled").asBoolean().ifPresent((v1) -> {
                enabled(v1);
            });
            if (this.explicitEnabled != null && !this.explicitEnabled.booleanValue()) {
                return this;
            }
            config.get("client-auth").asString().ifPresent(this::clientAuth);
            config.get("private-key").ifExists(config2 -> {
                privateKey(KeyConfig.create(config2));
            });
            config.get("trust").ifExists(config3 -> {
                trust(KeyConfig.create(config3));
            });
            config.get("protocols").asList(String.class).ifPresent((v1) -> {
                enabledProtocols(v1);
            });
            config.get("session-cache-size").asLong().ifPresent((v1) -> {
                sessionCacheSize(v1);
            });
            config.get("cipher-suite").asList(String.class).ifPresent(this::allowedCipherSuite);
            DeprecatedConfig.get(config, "session-timeout-seconds", "session-timeout").asLong().ifPresent((v1) -> {
                sessionTimeoutSeconds(v1);
            });
            return this;
        }

        private void clientAuth(String str) {
            clientAuth(ClientAuthentication.valueOf(str.toUpperCase()));
        }

        public Builder clientAuth(ClientAuthentication clientAuthentication) {
            this.clientAuth = (ClientAuthentication) Objects.requireNonNull(clientAuthentication);
            return this;
        }

        public Builder sslContext(SSLContext sSLContext) {
            this.enabled = true;
            this.sslContext = sSLContext;
            return this;
        }

        public Builder enabledProtocols(String... strArr) {
            return enabledProtocols(Arrays.asList((String[]) Objects.requireNonNull(strArr)));
        }

        public Builder enabledProtocols(Collection<String> collection) {
            Objects.requireNonNull(collection);
            this.enabledTlsProtocols.clear();
            this.enabledTlsProtocols.addAll(collection);
            return this;
        }

        public Builder privateKey(KeyConfig keyConfig) {
            this.enabled = true;
            this.sslContext = null;
            this.privateKeyConfig = (KeyConfig) Objects.requireNonNull(keyConfig);
            return this;
        }

        public Builder privateKey(Supplier<KeyConfig> supplier) {
            return privateKey(supplier.get());
        }

        public Builder trust(KeyConfig keyConfig) {
            this.enabled = true;
            this.sslContext = null;
            this.trustConfig = (KeyConfig) Objects.requireNonNull(keyConfig);
            return this;
        }

        public Builder trust(Supplier<KeyConfig> supplier) {
            return trust(supplier.get());
        }

        public Builder sessionCacheSize(long j) {
            this.sessionCacheSize = j;
            return this;
        }

        public Builder sessionTimeoutSeconds(long j) {
            this.sessionTimeoutSeconds = j;
            return this;
        }

        public Builder sessionTimeout(long j, TimeUnit timeUnit) {
            this.sessionTimeoutSeconds = timeUnit.toSeconds(j);
            return this;
        }

        public Builder allowedCipherSuite(List<String> list) {
            Objects.requireNonNull(list);
            if (list.isEmpty()) {
                throw new IllegalStateException("Allowed cipher suite has to have at least one cipher specified");
            }
            this.cipherSuite = Set.copyOf(list);
            return this;
        }

        public Builder enabled(boolean z) {
            this.enabled = z;
            this.explicitEnabled = Boolean.valueOf(z);
            return this;
        }

        private SSLContext newSSLContext() {
            try {
                if (null == this.privateKeyConfig) {
                    throw new IllegalStateException("Private key must be configured when SSL is enabled.");
                }
                KeyManagerFactory buildKmf = buildKmf(this.privateKeyConfig);
                TrustManagerFactory buildTmf = buildTmf(this.trustConfig);
                SSLContext sSLContext = SSLContext.getInstance(WebServerTls.PROTOCOL);
                sSLContext.init(buildKmf.getKeyManagers(), buildTmf.getTrustManagers(), null);
                SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
                if (this.sessionCacheSize > 0) {
                    serverSessionContext.setSessionCacheSize((int) Math.min(this.sessionCacheSize, 2147483647L));
                }
                if (this.sessionTimeoutSeconds > 0) {
                    serverSessionContext.setSessionTimeout((int) Math.min(this.sessionTimeoutSeconds, 2147483647L));
                }
                return sSLContext;
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalStateException("Failed to build server SSL Context!", e);
            }
        }

        private static KeyManagerFactory buildKmf(KeyConfig keyConfig) throws IOException, GeneralSecurityException {
            String property = Security.getProperty("ssl.KeyManagerFactory.algorithm");
            if (property == null) {
                property = "SunX509";
            }
            byte[] bArr = new byte[64];
            ((Random) WebServerTls.RANDOM.get()).nextBytes(bArr);
            char[] charArray = Base64.getEncoder().encodeToString(bArr).toCharArray();
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setKeyEntry("key", (Key) keyConfig.privateKey().orElseThrow(() -> {
                return new RuntimeException("Private key not available");
            }), charArray, (Certificate[]) keyConfig.certChain().toArray(new Certificate[0]));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(property);
            keyManagerFactory.init(keyStore, charArray);
            return keyManagerFactory;
        }

        private static TrustManagerFactory buildTmf(KeyConfig keyConfig) throws IOException, GeneralSecurityException {
            List of = keyConfig == null ? List.of() : keyConfig.certs();
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 1;
            Iterator it = of.iterator();
            while (it.hasNext()) {
                keyStore.setCertificateEntry(String.valueOf(i), (X509Certificate) it.next());
                i++;
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory;
        }
    }

    private WebServerTls(Builder builder) {
        this.enabledTlsProtocols = Set.copyOf(builder.enabledTlsProtocols);
        this.cipherSuite = builder.cipherSuite;
        this.sslContext = builder.sslContext;
        this.enabled = null != this.sslContext;
        this.clientAuth = builder.clientAuth;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static WebServerTls create(Config config) {
        return builder().config(config).m54build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<String> enabledTlsProtocols() {
        return this.enabledTlsProtocols;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLContext sslContext() {
        return this.sslContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientAuthentication clientAuth() {
        return this.clientAuth;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> cipherSuite() {
        return this.cipherSuite;
    }

    public boolean enabled() {
        return this.enabled;
    }
}
