package org.opendaylight.jsonrpc.security.api;

import com.google.common.base.Preconditions;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Map;
import java.util.Objects;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/jsonrpc/security/api/SslContextHelper.class */
public final class SslContextHelper {
    private static final Logger LOG = LoggerFactory.getLogger(SslContextHelper.class);

    private SslContextHelper() {
    }

    private static Iterable<String> splitOrNull(Map<String, String> map, String str) {
        String trim = map.getOrDefault(str, "").trim();
        if ("".equals(trim)) {
            return null;
        }
        return SecurityConstants.COMMA_SPLITTER.split(trim);
    }

    @SuppressFBWarnings({"PZLA_PREFER_ZERO_LENGTH_ARRAYS"})
    private static String[] splitToArrayOrNull(Map<String, String> map, String str) {
        String trim = map.getOrDefault(str, "").trim();
        if ("".equals(trim)) {
            return null;
        }
        return trim.split(",");
    }

    public static SslContext forClient(Map<String, String> map) {
        Iterable<String> splitOrNull = splitOrNull(map, SecurityConstants.OPT_CIPHERS);
        String[] splitToArrayOrNull = splitToArrayOrNull(map, SecurityConstants.OPT_PROTOCOLS);
        try {
            KeyStoreFactory keyStoreFactoryFromOpts = keyStoreFactoryFromOpts(map);
            SslContextBuilder trustManager = SslContextBuilder.forClient().ciphers(splitOrNull).protocols(splitToArrayOrNull).trustManager(tmfFromOpts(keyStoreFactoryFromOpts, map));
            if (map.containsKey(SecurityConstants.OPT_CERT_ALIAS)) {
                Object[] extractKeyMaterial = extractKeyMaterial(keyStoreFactoryFromOpts, map);
                trustManager.keyManager((PrivateKey) extractKeyMaterial[0], (X509Certificate[]) extractKeyMaterial[1]);
            }
            return trustManager.build();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Unable to initialize client SSL context", e);
        }
    }

    public static SslContext forServer(Map<String, String> map) {
        Iterable<String> splitOrNull = splitOrNull(map, SecurityConstants.OPT_CIPHERS);
        String[] splitToArrayOrNull = splitToArrayOrNull(map, SecurityConstants.OPT_PROTOCOLS);
        try {
            KeyStoreFactory keyStoreFactoryFromOpts = keyStoreFactoryFromOpts(map);
            ClientAuth clientAuthfromOpts = clientAuthfromOpts(map);
            TrustManagerFactory tmfFromOpts = tmfFromOpts(keyStoreFactoryFromOpts, map);
            Object[] extractKeyMaterial = extractKeyMaterial(keyStoreFactoryFromOpts, map);
            return SslContextBuilder.forServer((PrivateKey) extractKeyMaterial[0], (X509Certificate[]) extractKeyMaterial[1]).clientAuth(clientAuthfromOpts).protocols(splitToArrayOrNull).ciphers(splitOrNull).trustManager(tmfFromOpts).build();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Unable to initialize server SSL context", e);
        }
    }

    private static ClientAuth clientAuthfromOpts(Map<String, String> map) {
        return ClientAuth.valueOf(map.getOrDefault(SecurityConstants.OPT_CLIENT_VERIFY, SecurityConstants.TLS_CLIENT_VERIFY_DEFAULT));
    }

    private static KeyStoreFactory keyStoreFactoryFromOpts(Map<String, String> map) throws GeneralSecurityException, IOException {
        String orDefault = map.getOrDefault(SecurityConstants.OPT_KEYSTORE_TYPE, "JKS");
        if ("JKS".equalsIgnoreCase(orDefault)) {
            return new JKSFactory(map);
        }
        if (SecurityConstants.KEYSTORE_TYPE_PKCS12.equalsIgnoreCase(orDefault)) {
            return new PKCS12Factory(map);
        }
        throw new IllegalArgumentException("Unsupported KeyStore type " + orDefault);
    }

    private static TrustManagerFactory tmfFromOpts(KeyStoreFactory keyStoreFactory, Map<String, String> map) throws GeneralSecurityException {
        return SecurityConstants.CERT_POLICY_IGNORE.equals(map.getOrDefault(SecurityConstants.OPT_CERT_POLICY, "strict")) ? InsecureTrustManagerFactory.INSTANCE : ChainLengthEnforcingTmf.create(keyStoreFactory, map);
    }

    private static String findCertificateAlias(KeyStoreFactory keyStoreFactory, Map<String, String> map) throws KeyStoreException {
        String str = map.get(SecurityConstants.OPT_CERT_ALIAS);
        if (str == null) {
            Enumeration<String> aliases = keyStoreFactory.getKeyStore().aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStoreFactory.getKeyStore().isKeyEntry(nextElement)) {
                    return nextElement;
                }
            }
        }
        return str;
    }

    private static Object[] extractKeyMaterial(KeyStoreFactory keyStoreFactory, Map<String, String> map) throws GeneralSecurityException {
        String findCertificateAlias = findCertificateAlias(keyStoreFactory, map);
        Objects.requireNonNull(findCertificateAlias, "Certificate alias not specified and no private key found in KeyStore");
        KeyStore keyStore = keyStoreFactory.getKeyStore();
        Preconditions.checkState(keyStore.isKeyEntry(findCertificateAlias), "Alias '%s' is not private key", findCertificateAlias);
        KeyStore.Entry entry = keyStore.getEntry(findCertificateAlias, new KeyStore.PasswordProtection(keyStoreFactory.getKeyStorePassword().toCharArray()));
        Certificate[] certificateChain = keyStore.getCertificateChain(findCertificateAlias);
        Object[] objArr = {((KeyStore.PrivateKeyEntry) entry).getPrivateKey(), new X509Certificate[certificateChain.length]};
        System.arraycopy(certificateChain, 0, objArr[1], 0, certificateChain.length);
        return objArr;
    }

    static {
        if (Security.addProvider(new BouncyCastleProvider()) == -1) {
            LOG.debug("BouncyCastleProvider is already installed");
        }
    }
}
