package org.mockserver.socket.tls;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Function;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.StringUtils;
import org.mockserver.configuration.ConfigurationProperties;
import org.mockserver.log.model.LogEntry;
import org.mockserver.logging.MockServerLogger;
import org.slf4j.event.Level;

/* loaded from: input_file:WEB-INF/lib/mockserver-core-5.12.0.jar:org/mockserver/socket/tls/NettySslContextFactory.class */
public class NettySslContextFactory {
    public static Function<SslContextBuilder, SslContext> clientSslContextBuilderFunction = sslContextBuilder -> {
        try {
            return sslContextBuilder.build();
        } catch (SSLException e) {
            throw new RuntimeException(e);
        }
    };
    private final MockServerLogger mockServerLogger;
    private final KeyAndCertificateFactory keyAndCertificateFactory;
    private SslContext clientSslContext = null;
    private SslContext serverSslContext = null;

    public NettySslContextFactory(MockServerLogger mockServerLogger) {
        this.mockServerLogger = mockServerLogger;
        this.keyAndCertificateFactory = KeyAndCertificateFactoryFactory.createKeyAndCertificateFactory(mockServerLogger);
        System.setProperty("https.protocols", "SSLv3,TLSv1,TLSv1.1,TLSv1.2");
    }

    public synchronized SslContext createClientSslContext(boolean z) {
        if (this.clientSslContext == null || ConfigurationProperties.rebuildTLSContext()) {
            try {
                if (this.keyAndCertificateFactory.certificateNotYetCreated()) {
                    this.keyAndCertificateFactory.buildAndSavePrivateKeyAndX509Certificate();
                }
                SslContextBuilder keyManager = SslContextBuilder.forClient().keyManager(forwardProxyPrivateKey(), forwardProxyCertificateChain());
                if (z) {
                    switch (ConfigurationProperties.forwardProxyTLSX509CertificatesTrustManagerType()) {
                        case ANY:
                            keyManager.trustManager(InsecureTrustManagerFactory.INSTANCE);
                            break;
                        case JVM:
                            keyManager.trustManager(jvmCAX509TrustCertificates());
                            break;
                        case CUSTOM:
                            keyManager.trustManager(customCAX509TrustCertificates());
                            break;
                    }
                } else {
                    keyManager.trustManager(trustCertificateChain());
                }
                this.clientSslContext = clientSslContextBuilderFunction.apply(keyManager);
                ConfigurationProperties.rebuildTLSContext(false);
            } catch (Throwable th) {
                throw new RuntimeException("Exception creating SSL context for client", th);
            }
        }
        return this.clientSslContext;
    }

    private PrivateKey forwardProxyPrivateKey() {
        return StringUtils.isNotBlank(ConfigurationProperties.forwardProxyPrivateKey()) ? PEMToFile.privateKeyFromPEMFile(ConfigurationProperties.forwardProxyPrivateKey()) : this.keyAndCertificateFactory.privateKey();
    }

    private X509Certificate[] forwardProxyCertificateChain() {
        return StringUtils.isNotBlank(ConfigurationProperties.forwardProxyCertificateChain()) ? (X509Certificate[]) PEMToFile.x509ChainFromPEMFile(ConfigurationProperties.forwardProxyCertificateChain()).toArray(new X509Certificate[0]) : new X509Certificate[]{this.keyAndCertificateFactory.x509Certificate(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate()};
    }

    private X509Certificate[] jvmCAX509TrustCertificates() throws NoSuchAlgorithmException, KeyStoreException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.keyAndCertificateFactory.x509Certificate());
        arrayList.add(this.keyAndCertificateFactory.certificateAuthorityX509Certificate());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        return (X509Certificate[]) ((List) Arrays.stream(trustManagerFactory.getTrustManagers()).filter(trustManager -> {
            return trustManager instanceof X509TrustManager;
        }).flatMap(trustManager2 -> {
            return Arrays.stream(((X509TrustManager) trustManager2).getAcceptedIssuers());
        }).collect(() -> {
            return arrayList;
        }, (v0, v1) -> {
            v0.add(v1);
        }, (v0, v1) -> {
            v0.addAll(v1);
        })).toArray(new X509Certificate[0]);
    }

    private X509Certificate[] customCAX509TrustCertificates() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.keyAndCertificateFactory.x509Certificate());
        arrayList.add(this.keyAndCertificateFactory.certificateAuthorityX509Certificate());
        arrayList.addAll(PEMToFile.x509ChainFromPEMFile(ConfigurationProperties.forwardProxyTLSCustomTrustX509Certificates()));
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    public synchronized SslContext createServerSslContext() {
        if (this.serverSslContext == null || this.keyAndCertificateFactory.certificateNotYetCreated() || (ConfigurationProperties.rebuildServerTLSContext() && !ConfigurationProperties.preventCertificateDynamicUpdate())) {
            try {
                this.keyAndCertificateFactory.buildAndSavePrivateKeyAndX509Certificate();
                this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.DEBUG).setMessageFormat("using certificate authority serial:{}issuer:{}subject:{}and certificate serial:{}issuer:{}subject:{}").setArguments(this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getSerialNumber(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getIssuerDN(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate().getSubjectDN(), this.keyAndCertificateFactory.x509Certificate().getSerialNumber(), this.keyAndCertificateFactory.x509Certificate().getIssuerDN(), this.keyAndCertificateFactory.x509Certificate().getSubjectDN()));
                this.serverSslContext = SslContextBuilder.forServer(this.keyAndCertificateFactory.privateKey(), this.keyAndCertificateFactory.x509Certificate(), this.keyAndCertificateFactory.certificateAuthorityX509Certificate()).trustManager(trustCertificateChain()).clientAuth(ConfigurationProperties.tlsMutualAuthenticationRequired() ? ClientAuth.REQUIRE : ClientAuth.NONE).build();
                ConfigurationProperties.rebuildServerTLSContext(false);
            } catch (Throwable th) {
                this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.ERROR).setMessageFormat("exception creating SSL context for server" + th.getMessage()).setThrowable(th));
            }
        }
        return this.serverSslContext;
    }

    private X509Certificate[] trustCertificateChain() {
        if (!StringUtils.isNotBlank(ConfigurationProperties.tlsMutualAuthenticationCertificateChain())) {
            return (X509Certificate[]) Collections.singletonList(this.keyAndCertificateFactory.certificateAuthorityX509Certificate()).toArray(new X509Certificate[0]);
        }
        List<X509Certificate> x509ChainFromPEMFile = PEMToFile.x509ChainFromPEMFile(ConfigurationProperties.tlsMutualAuthenticationCertificateChain());
        x509ChainFromPEMFile.add(this.keyAndCertificateFactory.certificateAuthorityX509Certificate());
        return (X509Certificate[]) x509ChainFromPEMFile.toArray(new X509Certificate[0]);
    }
}
