package io.quarkus.tls.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.arc.InstanceHandle;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.ShutdownContext;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.tls.TlsConfiguration;
import io.quarkus.tls.TlsConfigurationRegistry;
import io.quarkus.tls.runtime.config.KeyStoreConfig;
import io.quarkus.tls.runtime.config.TlsBucketConfig;
import io.quarkus.tls.runtime.config.TlsConfig;
import io.quarkus.tls.runtime.config.TrustStoreConfig;
import io.quarkus.tls.runtime.keystores.JKSKeyStores;
import io.quarkus.tls.runtime.keystores.P12KeyStores;
import io.quarkus.tls.runtime.keystores.PemKeyStores;
import io.smallrye.common.annotation.Identifier;
import io.vertx.core.Vertx;
import jakarta.enterprise.inject.AmbiguousResolutionException;
import jakarta.enterprise.inject.Default;
import java.lang.annotation.Annotation;
import java.security.KeyStoreException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;

@Recorder
/* loaded from: input_file:io/quarkus/tls/runtime/CertificateRecorder.class */
public class CertificateRecorder implements TlsConfigurationRegistry {
    private final Map<String, TlsConfiguration> certificates = new ConcurrentHashMap();
    private volatile TlsCertificateUpdater reloader;
    private volatile Vertx vertx;
    private volatile TlsConfig config;

    public void validateCertificates(Set<String> set, TlsConfig tlsConfig, RuntimeValue<Vertx> runtimeValue, ShutdownContext shutdownContext) {
        this.vertx = (Vertx) runtimeValue.getValue();
        this.config = tlsConfig;
        if (tlsConfig.defaultCertificateConfig().isPresent()) {
            verifyCertificateConfig(tlsConfig.defaultCertificateConfig().get(), (Vertx) runtimeValue.getValue(), TlsConfig.DEFAULT_NAME);
        }
        HashSet hashSet = new HashSet(tlsConfig.namedCertificateConfig().keySet());
        hashSet.addAll(set);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (str.equals(TlsConfig.DEFAULT_NAME)) {
                throw new IllegalArgumentException("The TLS configuration name <default> cannot be used explicitly in configuration or qualifiers");
            }
            if (str.equals(TlsConfig.JAVA_NET_SSL_TLS_CONFIGURATION_NAME)) {
                throw new IllegalArgumentException("The TLS configuration name javax.net.ssl is reserved for providing access to default SunJSSE keystore; neither Quarkus extensions nor end users can adjust or override it");
            }
            verifyCertificateConfig(tlsConfig.namedCertificateConfig().get(str), (Vertx) runtimeValue.getValue(), str);
        }
        shutdownContext.addShutdownTask(new Runnable() { // from class: io.quarkus.tls.runtime.CertificateRecorder.1
            @Override // java.lang.Runnable
            public void run() {
                if (CertificateRecorder.this.reloader != null) {
                    CertificateRecorder.this.reloader.close();
                }
            }
        });
    }

    public void verifyCertificateConfig(TlsBucketConfig tlsBucketConfig, Vertx vertx, String str) {
        this.certificates.put(str, verifyCertificateConfigInternal(tlsBucketConfig, vertx, str));
        if (tlsBucketConfig.reloadPeriod().isPresent()) {
            if (this.reloader == null) {
                this.reloader = new TlsCertificateUpdater(vertx);
            }
            this.reloader.add(str, this.certificates.get(str), tlsBucketConfig.reloadPeriod().get());
        }
    }

    private static TlsConfiguration verifyCertificateConfigInternal(TlsBucketConfig tlsBucketConfig, Vertx vertx, String str) {
        KeyStoreAndKeyCertOptions keyStore = getKeyStore(tlsBucketConfig, vertx, str);
        if (keyStore != null && tlsBucketConfig.keyStore().isPresent() && tlsBucketConfig.keyStore().get().sni()) {
            try {
                if (Collections.list(keyStore.keyStore.aliases()).size() <= 1) {
                    throw new IllegalStateException("The SNI option cannot be used when the keystore contains only one alias or the `alias` property has been set");
                }
            } catch (KeyStoreException e) {
                throw new RuntimeException(e);
            }
        }
        TrustStoreAndTrustOptions trustStore = getTrustStore(tlsBucketConfig, vertx, str);
        if (tlsBucketConfig.trustAll() && trustStore != null) {
            throw new IllegalStateException("The trust-all option cannot be used when a trust-store is configured");
        }
        if (tlsBucketConfig.trustAll()) {
            trustStore = new TrustStoreAndTrustOptions(null, TrustAllOptions.INSTANCE);
        }
        return new VertxCertificateHolder(vertx, str, tlsBucketConfig, keyStore, trustStore);
    }

    public static KeyStoreAndKeyCertOptions getKeyStore(TlsBucketConfig tlsBucketConfig, Vertx vertx, String str) {
        InstanceHandle<KeyStoreProvider> lookupProvider = lookupProvider(KeyStoreProvider.class, str);
        try {
            if (tlsBucketConfig.keyStore().isPresent()) {
                KeyStoreConfig keyStoreConfig = tlsBucketConfig.keyStore().get();
                keyStoreConfig.validate(lookupProvider, str);
                if (keyStoreConfig.pem().isPresent()) {
                    KeyStoreAndKeyCertOptions verifyPEMKeyStore = PemKeyStores.verifyPEMKeyStore(keyStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyPEMKeyStore;
                }
                if (keyStoreConfig.p12().isPresent()) {
                    KeyStoreAndKeyCertOptions verifyP12KeyStore = P12KeyStores.verifyP12KeyStore(keyStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyP12KeyStore;
                }
                if (keyStoreConfig.jks().isPresent()) {
                    KeyStoreAndKeyCertOptions verifyJKSKeyStore = JKSKeyStores.verifyJKSKeyStore(keyStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyJKSKeyStore;
                }
            }
            if (lookupProvider.isAvailable()) {
                KeyStoreAndKeyCertOptions keyStore = ((KeyStoreProvider) lookupProvider.get()).getKeyStore(vertx);
                if (lookupProvider != null) {
                    lookupProvider.close();
                }
                return keyStore;
            }
            if (lookupProvider == null) {
                return null;
            }
            lookupProvider.close();
            return null;
        } catch (Throwable th) {
            if (lookupProvider != null) {
                try {
                    lookupProvider.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static TrustStoreAndTrustOptions getTrustStore(TlsBucketConfig tlsBucketConfig, Vertx vertx, String str) {
        InstanceHandle<TrustStoreProvider> lookupProvider = lookupProvider(TrustStoreProvider.class, str);
        try {
            if (tlsBucketConfig.trustStore().isPresent()) {
                TrustStoreConfig trustStoreConfig = tlsBucketConfig.trustStore().get();
                trustStoreConfig.validate(lookupProvider, str);
                if (trustStoreConfig.pem().isPresent()) {
                    TrustStoreAndTrustOptions verifyPEMTrustStoreStore = PemKeyStores.verifyPEMTrustStoreStore(trustStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyPEMTrustStoreStore;
                }
                if (trustStoreConfig.p12().isPresent()) {
                    TrustStoreAndTrustOptions verifyP12TrustStoreStore = P12KeyStores.verifyP12TrustStoreStore(trustStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyP12TrustStoreStore;
                }
                if (trustStoreConfig.jks().isPresent()) {
                    TrustStoreAndTrustOptions verifyJKSTrustStoreStore = JKSKeyStores.verifyJKSTrustStoreStore(trustStoreConfig, vertx, str);
                    if (lookupProvider != null) {
                        lookupProvider.close();
                    }
                    return verifyJKSTrustStoreStore;
                }
            }
            if (lookupProvider.isAvailable()) {
                TrustStoreAndTrustOptions trustStore = ((TrustStoreProvider) lookupProvider.get()).getTrustStore(vertx);
                if (lookupProvider != null) {
                    lookupProvider.close();
                }
                return trustStore;
            }
            if (lookupProvider == null) {
                return null;
            }
            lookupProvider.close();
            return null;
        } catch (Throwable th) {
            if (lookupProvider != null) {
                try {
                    lookupProvider.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Optional<TlsConfiguration> get(String str) {
        return TlsConfig.JAVA_NET_SSL_TLS_CONFIGURATION_NAME.equals(str) ? Optional.ofNullable(this.certificates.computeIfAbsent(TlsConfig.JAVA_NET_SSL_TLS_CONFIGURATION_NAME, str2 -> {
            return new VertxCertificateHolder(this.vertx, str2, this.config.namedCertificateConfig().get(str2), null, JavaxNetSslTrustStoreProvider.getTrustStore(this.vertx));
        })) : Optional.ofNullable(this.certificates.get(str));
    }

    public Optional<TlsConfiguration> getDefault() {
        return get(TlsConfig.DEFAULT_NAME);
    }

    public void register(String str, TlsConfiguration tlsConfiguration) {
        if (str == null) {
            throw new IllegalArgumentException("The name of the TLS configuration to register cannot be null");
        }
        if (str.equals(TlsConfig.DEFAULT_NAME)) {
            throw new IllegalArgumentException("The name of the TLS configuration to register cannot be <default>");
        }
        if (str.equals(TlsConfig.JAVA_NET_SSL_TLS_CONFIGURATION_NAME)) {
            throw new IllegalArgumentException("The TLS configuration name javax.net.ssl is reserved for providing access to default SunJSSE keystore; neither Quarkus extensions nor end users can adjust of override it");
        }
        if (tlsConfiguration == null) {
            throw new IllegalArgumentException("The TLS configuration to register cannot be null");
        }
        this.certificates.put(str, tlsConfiguration);
    }

    public Supplier<TlsConfigurationRegistry> getSupplier() {
        return new Supplier<TlsConfigurationRegistry>() { // from class: io.quarkus.tls.runtime.CertificateRecorder.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public TlsConfigurationRegistry get() {
                return CertificateRecorder.this;
            }
        };
    }

    public void register(String str, Supplier<TlsConfiguration> supplier) {
        register(str, supplier.get());
    }

    static <T> InstanceHandle<T> lookupProvider(Class<T> cls, String str) {
        List listAll = Arc.container().listAll(cls, new Annotation[]{TlsConfig.DEFAULT_NAME.equals(str) ? Default.Literal.INSTANCE : Identifier.Literal.of(str)});
        if (listAll.size() > 1) {
            throw new AmbiguousResolutionException("multiple beans with type " + cls.getName() + " found for TLS configuration " + str);
        }
        return listAll.isEmpty() ? new InstanceHandle<T>() { // from class: io.quarkus.tls.runtime.CertificateRecorder.3
            public T get() {
                return null;
            }
        } : (InstanceHandle) listAll.get(0);
    }
}
