package io.helidon.webserver;

import io.helidon.common.LazyValue;
import io.helidon.common.pki.KeyConfig;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:io/helidon/webserver/ConfiguredTlsManager.class */
public class ConfiguredTlsManager implements TlsManager {
    private static final LazyValue<SecureRandom> RANDOM = LazyValue.create(SecureRandom::new);
    private final String name;
    private final String type;
    private final Set<Consumer<SSLContext>> subscribers;
    private volatile SSLContext sslContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ConfiguredTlsManager() {
        this(WebServer.DEFAULT_SOCKET_NAME, "tls-manager");
    }

    protected ConfiguredTlsManager(String str, String str2) {
        this.subscribers = new LinkedHashSet();
        this.name = (String) Objects.requireNonNull(str);
        this.type = (String) Objects.requireNonNull(str2);
    }

    public String name() {
        return this.name;
    }

    public String type() {
        return this.type;
    }

    @Override // io.helidon.webserver.TlsManager
    public SSLContext sslContext() {
        return this.sslContext;
    }

    @Override // io.helidon.webserver.TlsManager
    public void subscribe(Consumer<SSLContext> consumer) {
        this.subscribers.add((Consumer) Objects.requireNonNull(consumer));
    }

    @Override // io.helidon.webserver.TlsManager
    public void init(WebServerTls webServerTls) {
        SSLContext orElse = webServerTls.explicitSslContext().orElse(null);
        if (orElse != null) {
            this.sslContext = orElse;
            return;
        }
        if (webServerTls.privateKeyConfig() == null) {
            throw new IllegalStateException("Private key must be configured when SSL is enabled.");
        }
        try {
            initSslContext(webServerTls, buildKmf(webServerTls.privateKeyConfig()).getKeyManagers(), buildTmf(webServerTls).getTrustManagers());
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Failed to build server SSL Context!", e);
        }
    }

    @Deprecated
    protected void initSslContext(WebServerTls webServerTls, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) {
        try {
            SSLContext sSLContext = SSLContext.getInstance(webServerTls.protocol());
            sSLContext.init(keyManagerArr, trustManagerArr, secureRandom(webServerTls));
            configureAndSet(webServerTls, sSLContext);
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Failed to create SSLContext", e);
        }
    }

    @Deprecated
    protected void reload(WebServerTls webServerTls, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) {
        initSslContext(webServerTls, keyManagerArr, trustManagerArr);
        this.subscribers.forEach(consumer -> {
            consumer.accept(this.sslContext);
        });
    }

    protected SecureRandom secureRandom(WebServerTls webServerTls) {
        return (SecureRandom) RANDOM.get();
    }

    protected TrustManagerFactory trustAllTmf() {
        return new TrustAllManagerFactory();
    }

    @Deprecated
    protected TrustManagerFactory createTmf(WebServerTls webServerTls) {
        try {
            return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        } catch (GeneralSecurityException e) {
            throw new IllegalStateException("Unable to create trust manager factory", e);
        }
    }

    @Deprecated
    protected void configureAndSet(WebServerTls webServerTls, SSLContext sSLContext) {
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            int sessionCacheSize = webServerTls.sessionCacheSize();
            if (sessionCacheSize > 0) {
                serverSessionContext.setSessionCacheSize(sessionCacheSize);
            }
            int sessionTimeoutSeconds = webServerTls.sessionTimeoutSeconds();
            if (sessionTimeoutSeconds > 0) {
                serverSessionContext.setSessionTimeout(sessionTimeoutSeconds);
            }
        }
        this.sslContext = sSLContext;
    }

    private KeyManagerFactory buildKmf(KeyConfig keyConfig) throws IOException, GeneralSecurityException {
        String property = Security.getProperty("ssl.KeyManagerFactory.algorithm");
        if (property == null) {
            property = "SunX509";
        }
        byte[] bArr = new byte[64];
        ((SecureRandom) RANDOM.get()).nextBytes(bArr);
        char[] charArray = Base64.getEncoder().encodeToString(bArr).toCharArray();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setKeyEntry("key", (Key) keyConfig.privateKey().orElseThrow(() -> {
            return new RuntimeException("Private key not available");
        }), charArray, (Certificate[]) keyConfig.certChain().toArray(new Certificate[0]));
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(property);
        keyManagerFactory.init(keyStore, charArray);
        return keyManagerFactory;
    }

    private TrustManagerFactory buildTmf(WebServerTls webServerTls) throws IOException, GeneralSecurityException {
        if (webServerTls.trustAll()) {
            return trustAllTmf();
        }
        KeyConfig trustConfig = webServerTls.trustConfig();
        List of = trustConfig == null ? List.of() : trustConfig.certs();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        int i = 1;
        Iterator it = of.iterator();
        while (it.hasNext()) {
            keyStore.setCertificateEntry(String.valueOf(i), (X509Certificate) it.next());
            i++;
        }
        TrustManagerFactory createTmf = createTmf(webServerTls);
        createTmf.init(keyStore);
        return createTmf;
    }
}
