package io.vertx.core.net.impl;

import io.netty.handler.ssl.SslHandler;
import io.vertx.core.VertxException;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.file.FileSystem;
import io.vertx.core.http.ClientAuth;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.impl.VertxInternal;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.core.net.NetClientOptions;
import io.vertx.core.net.NetServerOptions;
import java.io.ByteArrayInputStream;
import java.security.SecureRandom;
import java.security.cert.CRL;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:lib/vertx-core-3.2.1.jar:io/vertx/core/net/impl/SSLHelper.class */
public class SSLHelper {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SSLHelper.class);
    private static final String[] ENABLED_PROTOCOLS = {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
    private boolean ssl;
    private KeyStoreHelper keyStoreHelper;
    private KeyStoreHelper trustStoreHelper;
    private boolean trustAll;
    private ArrayList<String> crlPaths;
    private ArrayList<Buffer> crlValues;
    private ClientAuth clientAuth;
    private Set<String> enabledCipherSuites;
    private boolean verifyHost;
    private SSLContext sslContext;

    public SSLHelper(HttpClientOptions httpClientOptions, KeyStoreHelper keyStoreHelper, KeyStoreHelper keyStoreHelper2) {
        this.clientAuth = ClientAuth.NONE;
        this.ssl = httpClientOptions.isSsl();
        this.keyStoreHelper = keyStoreHelper;
        this.trustStoreHelper = keyStoreHelper2;
        this.trustAll = httpClientOptions.isTrustAll();
        this.crlPaths = new ArrayList<>(httpClientOptions.getCrlPaths());
        this.crlValues = new ArrayList<>(httpClientOptions.getCrlValues());
        this.enabledCipherSuites = httpClientOptions.getEnabledCipherSuites();
        this.verifyHost = httpClientOptions.isVerifyHost();
    }

    public SSLHelper(HttpServerOptions httpServerOptions, KeyStoreHelper keyStoreHelper, KeyStoreHelper keyStoreHelper2) {
        this.clientAuth = ClientAuth.NONE;
        this.ssl = httpServerOptions.isSsl();
        this.keyStoreHelper = keyStoreHelper;
        this.trustStoreHelper = keyStoreHelper2;
        this.clientAuth = httpServerOptions.getClientAuth();
        this.crlPaths = httpServerOptions.getCrlPaths() != null ? new ArrayList<>(httpServerOptions.getCrlPaths()) : null;
        this.crlValues = httpServerOptions.getCrlValues() != null ? new ArrayList<>(httpServerOptions.getCrlValues()) : null;
        this.enabledCipherSuites = httpServerOptions.getEnabledCipherSuites();
    }

    public SSLHelper(NetClientOptions netClientOptions, KeyStoreHelper keyStoreHelper, KeyStoreHelper keyStoreHelper2) {
        this.clientAuth = ClientAuth.NONE;
        this.ssl = netClientOptions.isSsl();
        this.keyStoreHelper = keyStoreHelper;
        this.trustStoreHelper = keyStoreHelper2;
        this.trustAll = netClientOptions.isTrustAll();
        this.crlPaths = new ArrayList<>(netClientOptions.getCrlPaths());
        this.crlValues = new ArrayList<>(netClientOptions.getCrlValues());
        this.enabledCipherSuites = netClientOptions.getEnabledCipherSuites();
    }

    public SSLHelper(NetServerOptions netServerOptions, KeyStoreHelper keyStoreHelper, KeyStoreHelper keyStoreHelper2) {
        this.clientAuth = ClientAuth.NONE;
        this.ssl = netServerOptions.isSsl();
        this.keyStoreHelper = keyStoreHelper;
        this.trustStoreHelper = keyStoreHelper2;
        this.clientAuth = netServerOptions.getClientAuth();
        this.crlPaths = netServerOptions.getCrlPaths() != null ? new ArrayList<>(netServerOptions.getCrlPaths()) : null;
        this.crlValues = netServerOptions.getCrlValues() != null ? new ArrayList<>(netServerOptions.getCrlValues()) : null;
        this.enabledCipherSuites = netServerOptions.getEnabledCipherSuites();
    }

    public boolean isSSL() {
        return this.ssl;
    }

    public ClientAuth getClientAuth() {
        return this.clientAuth;
    }

    private SSLContext createContext(VertxInternal vertxInternal) {
        TrustManager[] trustMgrs;
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            KeyManager[] keyMgrs = this.keyStoreHelper == null ? null : this.keyStoreHelper.getKeyMgrs(vertxInternal);
            if (this.trustAll) {
                trustMgrs = new TrustManager[]{createTrustAllTrustManager()};
            } else {
                trustMgrs = this.trustStoreHelper == null ? null : this.trustStoreHelper.getTrustMgrs(vertxInternal);
            }
            if (trustMgrs != null && this.crlPaths != null && this.crlValues != null && (this.crlPaths.size() > 0 || this.crlValues.size() > 0)) {
                Stream map = this.crlPaths.stream().map(str -> {
                    return vertxInternal.resolveFile(str).getAbsolutePath();
                });
                FileSystem fileSystem = vertxInternal.fileSystem();
                fileSystem.getClass();
                Stream concat = Stream.concat(map.map(fileSystem::readFileBlocking), this.crlValues.stream());
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                ArrayList arrayList = new ArrayList();
                Iterator it = ((List) concat.collect(Collectors.toList())).iterator();
                while (it.hasNext()) {
                    arrayList.addAll(certificateFactory.generateCRLs(new ByteArrayInputStream(((Buffer) it.next()).getBytes())));
                }
                trustMgrs = createUntrustRevokedCertTrustManager(trustMgrs, arrayList);
            }
            sSLContext.init(keyMgrs, trustMgrs, new SecureRandom());
            return sSLContext;
        } catch (Exception e) {
            throw new VertxException(e);
        }
    }

    private static TrustManager[] createUntrustRevokedCertTrustManager(TrustManager[] trustManagerArr, final ArrayList<CRL> arrayList) {
        TrustManager[] trustManagerArr2 = (TrustManager[]) trustManagerArr.clone();
        for (int i = 0; i < trustManagerArr2.length; i++) {
            TrustManager trustManager = trustManagerArr2[i];
            if (trustManager instanceof X509TrustManager) {
                final X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                trustManagerArr2[i] = new X509TrustManager() { // from class: io.vertx.core.net.impl.SSLHelper.1
                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        checkRevocaked(x509CertificateArr);
                        x509TrustManager.checkClientTrusted(x509CertificateArr, str);
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        checkRevocaked(x509CertificateArr);
                        x509TrustManager.checkServerTrusted(x509CertificateArr, str);
                    }

                    private void checkRevocaked(X509Certificate[] x509CertificateArr) throws CertificateException {
                        for (X509Certificate x509Certificate : x509CertificateArr) {
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                if (((CRL) it.next()).isRevoked(x509Certificate)) {
                                    throw new CertificateException("Certificate revoked");
                                }
                            }
                        }
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return x509TrustManager.getAcceptedIssuers();
                    }
                };
            }
        }
        return trustManagerArr2;
    }

    private static TrustManager createTrustAllTrustManager() {
        return new X509TrustManager() { // from class: io.vertx.core.net.impl.SSLHelper.2
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        };
    }

    private SslHandler createHandler(SSLEngine sSLEngine, boolean z) {
        if (this.enabledCipherSuites != null && !this.enabledCipherSuites.isEmpty()) {
            sSLEngine.setEnabledCipherSuites((String[]) this.enabledCipherSuites.toArray(new String[this.enabledCipherSuites.size()]));
        }
        sSLEngine.setUseClientMode(z);
        HashSet hashSet = new HashSet(Arrays.asList(ENABLED_PROTOCOLS));
        hashSet.retainAll(Arrays.asList(sSLEngine.getEnabledProtocols()));
        sSLEngine.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
        if (!z) {
            switch (getClientAuth()) {
                case REQUEST:
                    sSLEngine.setWantClientAuth(true);
                    break;
                case REQUIRED:
                    sSLEngine.setNeedClientAuth(true);
                    break;
                case NONE:
                    sSLEngine.setNeedClientAuth(false);
                    break;
            }
        } else if (this.verifyHost) {
            SSLParameters sSLParameters = sSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            sSLEngine.setSSLParameters(sSLParameters);
        }
        return new SslHandler(sSLEngine);
    }

    private SSLContext getContext(VertxInternal vertxInternal) {
        if (this.sslContext == null) {
            this.sslContext = createContext(vertxInternal);
        }
        return this.sslContext;
    }

    public synchronized void validate(VertxInternal vertxInternal) {
        if (this.ssl) {
            getContext(vertxInternal);
        }
    }

    public SslHandler createSslHandler(VertxInternal vertxInternal, boolean z, String str, int i) {
        return createHandler(getContext(vertxInternal).createSSLEngine(str, i), z);
    }

    public SslHandler createSslHandler(VertxInternal vertxInternal, boolean z) {
        return createHandler(getContext(vertxInternal).createSSLEngine(), z);
    }
}
