package io.helidon.common.tls;

import io.helidon.common.LazyValue;
import io.helidon.common.tls.TlsReloadableX509KeyManager;
import io.helidon.common.tls.TlsReloadableX509TrustManager;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/helidon/common/tls/ConfiguredTlsManager.class */
public class ConfiguredTlsManager implements TlsManager {
    private static final LazyValue<SecureRandom> RANDOM = LazyValue.create(SecureRandom::new);
    private final String name;
    private final String type;
    private volatile X509KeyManager keyManager;
    private volatile TlsReloadableX509KeyManager reloadableKeyManager;
    private volatile X509TrustManager trustManager;
    private volatile TlsReloadableX509TrustManager reloadableTrustManager;
    private volatile SSLContext sslContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ConfiguredTlsManager() {
        this("@default", "tls-manager");
    }

    protected ConfiguredTlsManager(String str, String str2) {
        this.name = (String) Objects.requireNonNull(str);
        this.type = (String) Objects.requireNonNull(str2);
    }

    public String name() {
        return this.name;
    }

    public String type() {
        return this.type;
    }

    @Override // io.helidon.common.tls.TlsManager
    public SSLContext sslContext() {
        return this.sslContext;
    }

    @Override // io.helidon.common.tls.TlsManager
    public void init(TlsConfig tlsConfig) {
        sslContext(tlsConfig);
    }

    @Override // io.helidon.common.tls.TlsManager
    public void reload(Tls tls) {
        reload(tls.keyManager(), tls.trustManager());
    }

    @Override // io.helidon.common.tls.TlsManager
    public Optional<X509KeyManager> keyManager() {
        return Optional.ofNullable(this.keyManager);
    }

    @Override // io.helidon.common.tls.TlsManager
    public Optional<X509TrustManager> trustManager() {
        return Optional.ofNullable(this.trustManager);
    }

    protected void reload(Optional<X509KeyManager> optional, Optional<X509TrustManager> optional2) {
        TlsReloadableX509KeyManager tlsReloadableX509KeyManager = this.reloadableKeyManager;
        Objects.requireNonNull(tlsReloadableX509KeyManager);
        optional.ifPresent(tlsReloadableX509KeyManager::reload);
        TlsReloadableX509TrustManager tlsReloadableX509TrustManager = this.reloadableTrustManager;
        Objects.requireNonNull(tlsReloadableX509TrustManager);
        optional2.ifPresent(tlsReloadableX509TrustManager::reload);
    }

    protected void initSslContext(TlsConfig tlsConfig, SecureRandom secureRandom, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) {
        try {
            KeyManager[] wrapX509KeyManagers = keyManagerArr.length == 0 ? null : wrapX509KeyManagers(keyManagerArr);
            TrustManager[] wrapX509TrustManagers = trustManagerArr.length == 0 ? null : wrapX509TrustManagers(trustManagerArr);
            SSLContext sSLContext = tlsConfig.provider().isPresent() ? SSLContext.getInstance(tlsConfig.protocol(), tlsConfig.provider().get()) : SSLContext.getInstance(tlsConfig.protocol());
            sSLContext.init(wrapX509KeyManagers, wrapX509TrustManagers, secureRandom);
            SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
            if (serverSessionContext != null) {
                if (tlsConfig.sessionCacheSize() != 20480) {
                    serverSessionContext.setSessionCacheSize(tlsConfig.sessionCacheSize());
                }
                serverSessionContext.setSessionTimeout((int) tlsConfig.sessionTimeout().toSeconds());
            }
            this.sslContext = sSLContext;
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Failed to create SSLContext", e);
        }
    }

    protected SecureRandom secureRandom(TlsConfig tlsConfig) {
        if (tlsConfig.secureRandom().isPresent()) {
            return tlsConfig.secureRandom().get();
        }
        try {
            if (tlsConfig.secureRandomAlgorithm().isPresent() && tlsConfig.secureRandomProvider().isEmpty()) {
                return SecureRandom.getInstance(tlsConfig.secureRandomAlgorithm().get());
            }
            if (!tlsConfig.secureRandomProvider().isPresent()) {
                return (SecureRandom) RANDOM.get();
            }
            if (tlsConfig.secureRandomAlgorithm().isEmpty()) {
                throw new IllegalArgumentException("Invalid configuration of secure random. Provider is configured to " + tlsConfig.secureRandomProvider().get() + ", but algorithm is not specified");
            }
            return SecureRandom.getInstance(tlsConfig.secureRandomAlgorithm().get(), tlsConfig.secureRandomProvider().get());
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("invalid configuration for secure random, cannot create it", e);
        }
    }

    protected KeyManagerFactory buildKmf(TlsConfig tlsConfig, SecureRandom secureRandom, PrivateKey privateKey, Certificate[] certificateArr) {
        byte[] bArr = new byte[64];
        secureRandom.nextBytes(bArr);
        char[] charArray = Base64.getEncoder().encodeToString(bArr).toCharArray();
        try {
            KeyStore internalKeystore = internalKeystore(tlsConfig);
            internalKeystore.setKeyEntry("key", privateKey, charArray, certificateArr);
            KeyManagerFactory kmf = kmf(tlsConfig);
            kmf.init(internalKeystore, charArray);
            return kmf;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new IllegalArgumentException("Invalid configuration for key management factory, cannot create factory", e);
        }
    }

    protected KeyStore internalKeystore(TlsConfig tlsConfig) {
        try {
            String orElseGet = tlsConfig.internalKeystoreType().orElseGet(KeyStore::getDefaultType);
            KeyStore keyStore = tlsConfig.internalKeystoreProvider().isEmpty() ? KeyStore.getInstance(orElseGet) : KeyStore.getInstance(orElseGet, tlsConfig.internalKeystoreProvider().get());
            keyStore.load(null, null);
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            throw new IllegalArgumentException("Invalid configuration of internal keystores. Provider: " + String.valueOf(tlsConfig.internalKeystoreProvider()) + ", type: " + String.valueOf(tlsConfig.internalKeystoreType()), e);
        }
    }

    protected TrustManagerFactory createTmf(TlsConfig tlsConfig) {
        try {
            String orElseGet = tlsConfig.trustManagerFactoryAlgorithm().orElseGet(TrustManagerFactory::getDefaultAlgorithm);
            return tlsConfig.trustManagerFactoryProvider().isEmpty() ? TrustManagerFactory.getInstance(orElseGet) : TrustManagerFactory.getInstance(orElseGet, tlsConfig.trustManagerFactoryProvider().get());
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new IllegalArgumentException("Invalid configuration of trust manager factory. Provider: " + String.valueOf(tlsConfig.trustManagerFactoryProvider()) + ", algorithm: " + String.valueOf(tlsConfig.trustManagerFactoryAlgorithm()), e);
        }
    }

    protected TrustManagerFactory trustAllTmf() {
        return new TrustAllManagerFactory();
    }

    private TrustManagerFactory initTmf(TlsConfig tlsConfig) throws KeyStoreException {
        KeyStore internalKeystore = internalKeystore(tlsConfig);
        int i = 1;
        Iterator<X509Certificate> it = tlsConfig.trust().iterator();
        while (it.hasNext()) {
            internalKeystore.setCertificateEntry(String.valueOf(i), it.next());
            i++;
        }
        TrustManagerFactory createTmf = createTmf(tlsConfig);
        createTmf.init(internalKeystore);
        return createTmf;
    }

    private TrustManagerFactory tmf(TlsConfig tlsConfig) throws KeyStoreException {
        if (tlsConfig.trustAll()) {
            return trustAllTmf();
        }
        if (tlsConfig.trust().isEmpty()) {
            return null;
        }
        return initTmf(tlsConfig);
    }

    private void sslContext(TlsConfig tlsConfig) {
        if (tlsConfig.sslContext().isPresent()) {
            this.sslContext = tlsConfig.sslContext().get();
            return;
        }
        try {
            SecureRandom secureRandom = secureRandom(tlsConfig);
            KeyManagerFactory keyManagerFactory = (KeyManagerFactory) tlsConfig.privateKey().map(privateKey -> {
                return buildKmf(tlsConfig, secureRandom, privateKey, (Certificate[]) tlsConfig.privateKeyCertChain().toArray(new Certificate[0]));
            }).orElse(null);
            TrustManagerFactory tmf = tmf(tlsConfig);
            initSslContext(tlsConfig, secureRandom, keyManagerFactory == null ? new KeyManager[0] : keyManagerFactory.getKeyManagers(), tmf == null ? new TrustManager[0] : tmf.getTrustManagers());
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Failed to create SSLContext", e);
        }
    }

    private KeyManagerFactory kmf(TlsConfig tlsConfig) {
        try {
            String orElseGet = tlsConfig.keyManagerFactoryAlgorithm().orElseGet(KeyManagerFactory::getDefaultAlgorithm);
            return tlsConfig.keyManagerFactoryProvider().isPresent() ? KeyManagerFactory.getInstance(orElseGet, tlsConfig.keyManagerFactoryProvider().get()) : KeyManagerFactory.getInstance(orElseGet);
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new IllegalArgumentException("Invalid configuration of key manager factory. Provider: " + String.valueOf(tlsConfig.keyManagerFactoryProvider()) + ", algorithm: " + String.valueOf(tlsConfig.keyManagerFactoryAlgorithm()), e);
        }
    }

    private KeyManager[] wrapX509KeyManagers(KeyManager[] keyManagerArr) {
        KeyManager[] keyManagerArr2 = new KeyManager[keyManagerArr.length];
        System.arraycopy(keyManagerArr, 0, keyManagerArr2, 0, keyManagerArr2.length);
        for (int i = 0; i < keyManagerArr.length; i++) {
            KeyManager keyManager = keyManagerArr[i];
            if (keyManager instanceof X509KeyManager) {
                X509KeyManager x509KeyManager = (X509KeyManager) keyManager;
                this.keyManager = x509KeyManager;
                this.reloadableKeyManager = TlsReloadableX509KeyManager.create(x509KeyManager);
                keyManagerArr2[i] = this.reloadableKeyManager;
                return keyManagerArr2;
            }
        }
        this.reloadableKeyManager = new TlsReloadableX509KeyManager.NotReloadableKeyManager();
        return keyManagerArr2;
    }

    private TrustManager[] wrapX509TrustManagers(TrustManager[] trustManagerArr) {
        TrustManager[] trustManagerArr2 = new TrustManager[trustManagerArr.length];
        System.arraycopy(trustManagerArr, 0, trustManagerArr2, 0, trustManagerArr2.length);
        for (int i = 0; i < trustManagerArr.length; i++) {
            TrustManager trustManager = trustManagerArr[i];
            if (trustManager instanceof X509TrustManager) {
                X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                this.trustManager = x509TrustManager;
                this.reloadableTrustManager = TlsReloadableX509TrustManager.create(x509TrustManager);
                trustManagerArr2[i] = this.reloadableTrustManager;
                return trustManagerArr2;
            }
        }
        this.reloadableTrustManager = new TlsReloadableX509TrustManager.NotReloadableTrustManager();
        return trustManagerArr2;
    }
}
