package org.reaktivity.nukleus.tls.internal.config;

import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import org.agrona.LangUtil;
import org.reaktivity.nukleus.tls.internal.identity.TlsX509ExtendedKeyManager;
import org.reaktivity.nukleus.tls.internal.types.Array32FW;
import org.reaktivity.nukleus.tls.internal.types.ProxyInfoFW;
import org.reaktivity.nukleus.tls.internal.types.ProxyInfoType;
import org.reaktivity.nukleus.tls.internal.types.ProxySecureInfoType;
import org.reaktivity.nukleus.tls.internal.types.stream.ProxyBeginExFW;
import org.reaktivity.reaktor.config.Binding;
import org.reaktivity.reaktor.config.Role;
import org.reaktivity.reaktor.nukleus.vault.BindingVault;

/* loaded from: input_file:org/reaktivity/nukleus/tls/internal/config/TlsBinding.class */
public final class TlsBinding {
    private static final String TYPE_DEFAULT = "PKCS12";
    public final long id;
    public final long vaultId;
    public final String entry;
    public final TlsOptions options;
    public final Role kind;
    public final List<TlsRoute> routes;
    public final TlsRoute exit;
    private SSLContext context;
    static final /* synthetic */ boolean $assertionsDisabled;

    public TlsBinding(Binding binding) {
        this.id = binding.id;
        this.vaultId = binding.vault != null ? binding.vault.id : 0L;
        this.entry = binding.entry;
        this.kind = binding.kind;
        this.options = (TlsOptions) TlsOptions.class.cast(binding.options);
        this.routes = (List) binding.routes.stream().map(TlsRoute::new).collect(Collectors.toList());
        this.exit = binding.exit != null ? new TlsRoute(binding.exit) : null;
    }

    public void init(BindingVault bindingVault, boolean z, String str, SecureRandom secureRandom) {
        char[] charArray = "generated".toCharArray();
        KeyStore newKeys = newKeys(bindingVault, z, charArray, this.options.keys, this.options.signers);
        KeyStore newTrust = newTrust(bindingVault, z, this.options.trust, this.options.trustcacerts && this.kind == Role.CLIENT);
        KeyManager[] keyManagerArr = null;
        if (newKeys != null) {
            try {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str);
                keyManagerFactory.init(newKeys, charArray);
                keyManagerArr = keyManagerFactory.getKeyManagers();
                if (keyManagerArr != null) {
                    for (int i = 0; i < keyManagerArr.length; i++) {
                        if (keyManagerArr[i] instanceof X509ExtendedKeyManager) {
                            keyManagerArr[i] = new TlsX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i]);
                        }
                    }
                }
            } catch (Exception e) {
                LangUtil.rethrowUnchecked(e);
                return;
            }
        }
        TrustManager[] trustManagerArr = null;
        if (newTrust != null) {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(newTrust);
            trustManagerArr = trustManagerFactory.getTrustManagers();
        }
        SSLContext sSLContext = SSLContext.getInstance(this.options.version != null ? this.options.version : "TLS");
        sSLContext.init(keyManagerArr, trustManagerArr, secureRandom);
        this.context = sSLContext;
    }

    public TlsRoute resolve(long j, ProxyBeginExFW proxyBeginExFW) {
        Array32FW<ProxyInfoFW> infos = proxyBeginExFW != null ? proxyBeginExFW.infos() : null;
        ProxyInfoFW matchFirst = infos != null ? infos.matchFirst(proxyInfoFW -> {
            return proxyInfoFW.kind() == ProxyInfoType.AUTHORITY;
        }) : null;
        ProxyInfoFW matchFirst2 = infos != null ? infos.matchFirst(proxyInfoFW2 -> {
            return proxyInfoFW2.kind() == ProxyInfoType.ALPN;
        }) : null;
        return resolve(j, matchFirst != null ? matchFirst.authority().asString() : null, matchFirst2 != null ? matchFirst2.alpn().asString() : null);
    }

    public TlsRoute resolve(long j, String str, String str2) {
        TlsRoute tlsRoute = null;
        Iterator<TlsRoute> it = this.routes.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            TlsRoute next = it.next();
            if (next.when.stream().anyMatch(tlsMatcher -> {
                return tlsMatcher.matches(str, str2);
            })) {
                tlsRoute = next;
                break;
            }
        }
        if (tlsRoute == null) {
            tlsRoute = this.exit;
        }
        return tlsRoute;
    }

    public SSLEngine newClientEngine(ProxyBeginExFW proxyBeginExFW) {
        ProxyInfoFW matchFirst;
        String asString;
        ProxyInfoFW matchFirst2;
        ProxyInfoFW matchFirst3;
        SSLEngine sSLEngine = null;
        if (this.context != null) {
            sSLEngine = this.context.createSSLEngine();
            sSLEngine.setUseClientMode(true);
            List<String> list = this.options.sni;
            if (list == null && proxyBeginExFW != null && (matchFirst3 = proxyBeginExFW.infos().matchFirst(proxyInfoFW -> {
                return proxyInfoFW.kind() == ProxyInfoType.AUTHORITY;
            })) != null) {
                list = Collections.singletonList(matchFirst3.authority().asString());
            }
            List<String> list2 = this.options.alpn;
            if (list2 == null && proxyBeginExFW != null && (matchFirst2 = proxyBeginExFW.infos().matchFirst(proxyInfoFW2 -> {
                return proxyInfoFW2.kind() == ProxyInfoType.ALPN;
            })) != null) {
                list2 = Collections.singletonList(matchFirst2.alpn().asString());
            }
            SSLParameters sSLParameters = sSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            if (list != null) {
                sSLParameters.setServerNames((List) list.stream().map(SNIHostName::new).collect(Collectors.toList()));
            }
            if (list2 != null) {
                List list3 = (List) list2.stream().filter(str -> {
                    return str != null;
                }).collect(Collectors.toList());
                sSLParameters.setApplicationProtocols((String[]) list3.toArray(new String[list3.size()]));
            }
            sSLEngine.setSSLParameters(sSLParameters);
            if (proxyBeginExFW != null && (matchFirst = proxyBeginExFW.infos().matchFirst(proxyInfoFW3 -> {
                return proxyInfoFW3.kind() == ProxyInfoType.SECURE && proxyInfoFW3.secure().kind() == ProxySecureInfoType.NAME;
            })) != null && (asString = matchFirst.secure().name().asString()) != null) {
                sSLEngine.getSession().putValue(TlsX509ExtendedKeyManager.DISTINGUISHED_NAME_KEY, String.format("CN=%s", asString));
            }
        }
        return sSLEngine;
    }

    public SSLEngine newServerEngine() {
        SSLEngine sSLEngine = null;
        if (this.context != null) {
            sSLEngine = this.context.createSSLEngine();
            sSLEngine.setUseClientMode(false);
            switch ((TlsMutual) Optional.ofNullable(this.options != null ? this.options.mutual : null).orElse(TlsMutual.NONE)) {
                case NONE:
                    sSLEngine.setWantClientAuth(false);
                    break;
                case REQUESTED:
                    sSLEngine.setWantClientAuth(true);
                    break;
                case REQUIRED:
                    sSLEngine.setNeedClientAuth(true);
                    break;
            }
            sSLEngine.setHandshakeApplicationProtocolSelector(this::selectAlpn);
        }
        return sSLEngine;
    }

    private String selectAlpn(SSLEngine sSLEngine, List<String> list) {
        SSLSession handshakeSession = sSLEngine.getHandshakeSession();
        List<SNIServerName> requestedServerNames = handshakeSession instanceof ExtendedSSLSession ? ((ExtendedSSLSession) handshakeSession).getRequestedServerNames() : null;
        List<String> list2 = this.options != null ? this.options.sni : null;
        List<String> list3 = this.options != null ? this.options.alpn : null;
        String str = null;
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (list3 != null && list3.contains(next)) {
                str = next;
                break;
            }
        }
        if (requestedServerNames != null) {
            for (SNIServerName sNIServerName : requestedServerNames) {
                if (sNIServerName.getType() == 0) {
                    String asciiName = ((SNIHostName) sNIServerName).getAsciiName();
                    if (list2 == null || list2.contains(asciiName)) {
                        for (TlsRoute tlsRoute : this.routes) {
                            Iterator<String> it2 = list.iterator();
                            while (true) {
                                if (it2.hasNext()) {
                                    String next2 = it2.next();
                                    if (list3 == null || list3.contains(next2)) {
                                        if (tlsRoute.when.stream().anyMatch(tlsMatcher -> {
                                            return tlsMatcher.matches(asciiName, next2);
                                        })) {
                                            str = next2;
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        } else {
            for (TlsRoute tlsRoute2 : this.routes) {
                Iterator<String> it3 = list.iterator();
                while (true) {
                    if (it3.hasNext()) {
                        String next3 = it3.next();
                        if (list3 == null || list3.contains(next3)) {
                            if (tlsRoute2.when.stream().anyMatch(tlsMatcher2 -> {
                                return tlsMatcher2.matches(null, next3);
                            })) {
                                str = next3;
                                break;
                            }
                        }
                    }
                }
            }
        }
        if (str == null && this.exit != null) {
            str = "";
        }
        return str;
    }

    private KeyStore newKeys(BindingVault bindingVault, boolean z, char[] cArr, List<String> list, List<String> list2) {
        KeyStore keyStore = null;
        if (z) {
            try {
                list = ignoreEmptyNames(list);
                list2 = ignoreEmptyNames(list2);
            } catch (Exception e) {
                LangUtil.rethrowUnchecked(e);
            }
        }
        if (list != null || list2 != null) {
            keyStore = KeyStore.getInstance(TYPE_DEFAULT);
            keyStore.load(null, cArr);
        }
        if (list != null) {
            if (!$assertionsDisabled && keyStore == null) {
                throw new AssertionError();
            }
            for (String str : list) {
                keyStore.setEntry(str, bindingVault.key(str), new KeyStore.PasswordProtection(cArr));
            }
        }
        if (list2 != null) {
            if (!$assertionsDisabled && keyStore == null) {
                throw new AssertionError();
            }
            Iterator<String> it = list2.iterator();
            while (it.hasNext()) {
                KeyStore.PrivateKeyEntry[] keys = bindingVault.keys(it.next());
                if (keys != null) {
                    for (KeyStore.PrivateKeyEntry privateKeyEntry : keys) {
                        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(cArr);
                        Certificate certificate = privateKeyEntry.getCertificate();
                        if (certificate instanceof X509Certificate) {
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            keyStore.setEntry(String.format("%s %d", x509Certificate.getSubjectX500Principal().getName(), x509Certificate.getSerialNumber()), privateKeyEntry, passwordProtection);
                        }
                    }
                }
            }
        }
        return keyStore;
    }

    private KeyStore newTrust(BindingVault bindingVault, boolean z, List<String> list, boolean z2) {
        KeyStore keyStore = null;
        if (z) {
            try {
                list = ignoreEmptyNames(list);
            } catch (Exception e) {
                LangUtil.rethrowUnchecked(e);
            }
        }
        if (list != null || z2) {
            keyStore = KeyStore.getInstance(TYPE_DEFAULT);
            keyStore.load(null, null);
        }
        if (list != null) {
            for (String str : list) {
                keyStore.setEntry(str, bindingVault.certificate(str), null);
            }
        }
        if (z2) {
            for (KeyStore.TrustedCertificateEntry trustedCertificateEntry : TlsTrust.cacerts()) {
                X509Certificate x509Certificate = (X509Certificate) trustedCertificateEntry.getTrustedCertificate();
                keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
            }
        }
        return keyStore;
    }

    private List<String> ignoreEmptyNames(List<String> list) {
        if (list != null && !list.isEmpty()) {
            list = (List) list.stream().filter(str -> {
                return !str.isEmpty();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                list = null;
            }
        }
        return list;
    }

    static {
        $assertionsDisabled = !TlsBinding.class.desiredAssertionStatus();
    }
}
