package org.dcache.ssl;

import com.google.common.base.Supplier;
import com.google.common.base.Throwables;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.ProxySupport;
import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.ValidationErrorCategory;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import org.dcache.util.CachingCertificateValidator;
import org.dcache.util.Callables;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/ssl/CanlContextFactory.class */
public class CanlContextFactory implements SslContextFactory {
    private final SecureRandom secureRandom = new SecureRandom();
    private final TrustManager[] trustManagers;
    private final boolean startTls;
    private static final Logger LOGGER = LoggerFactory.getLogger(CanlContextFactory.class);
    private static final EnumSet<ValidationErrorCategory> VALIDATION_ERRORS_TO_LOG = EnumSet.of(ValidationErrorCategory.NAMESPACE, ValidationErrorCategory.X509_BASIC, ValidationErrorCategory.X509_CHAIN, ValidationErrorCategory.NAME_CONSTRAINT, ValidationErrorCategory.CRL, ValidationErrorCategory.OCSP);
    private static final AutoCloseable NOOP = new AutoCloseable() { // from class: org.dcache.ssl.CanlContextFactory.1
        @Override // java.lang.AutoCloseable
        public void close() throws Exception {
        }
    };

    /* renamed from: org.dcache.ssl.CanlContextFactory$2, reason: invalid class name */
    /* loaded from: input_file:org/dcache/ssl/CanlContextFactory$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$eu$emi$security$authn$x509$StoreUpdateListener$Severity = new int[StoreUpdateListener.Severity.values().length];

        static {
            try {
                $SwitchMap$eu$emi$security$authn$x509$StoreUpdateListener$Severity[StoreUpdateListener.Severity.ERROR.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$eu$emi$security$authn$x509$StoreUpdateListener$Severity[StoreUpdateListener.Severity.WARNING.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$eu$emi$security$authn$x509$StoreUpdateListener$Severity[StoreUpdateListener.Severity.NOTIFICATION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/dcache/ssl/CanlContextFactory$Builder.class */
    public static class Builder {
        private Path certificateAuthorityPath = FileSystems.getDefault().getPath("/etc/grid-security/certificates", new String[0]);
        private NamespaceCheckingMode namespaceMode = NamespaceCheckingMode.EUGRIDPMA_GLOBUS;
        private CrlCheckingMode crlCheckingMode = CrlCheckingMode.IF_VALID;
        private OCSPCheckingMode ocspCheckingMode = OCSPCheckingMode.IF_AVAILABLE;
        private long certificateAuthorityUpdateInterval = 600000;
        private boolean lazyMode = true;
        private Path keyPath = FileSystems.getDefault().getPath("/etc/grid-security/hostkey.pem", new String[0]);
        private Path certificatePath = FileSystems.getDefault().getPath("/etc/grid-security/hostcert.pem", new String[0]);
        private long credentialUpdateInterval = 1;
        private TimeUnit credentialUpdateIntervalUnit = TimeUnit.MINUTES;
        private Supplier<AutoCloseable> loggingContextSupplier = () -> {
            return CanlContextFactory.NOOP;
        };
        private long validationCacheLifetime = 300000;
        private boolean startTls = true;

        private Builder() {
        }

        public Builder startTls(boolean z) {
            this.startTls = z;
            return this;
        }

        public Builder withCertificateAuthorityPath(Path path) {
            this.certificateAuthorityPath = path;
            return this;
        }

        public Builder withCertificateAuthorityPath(String str) {
            return withCertificateAuthorityPath(FileSystems.getDefault().getPath(str, new String[0]));
        }

        public Builder withCertificateAuthorityUpdateInterval(long j) {
            this.certificateAuthorityUpdateInterval = j;
            return this;
        }

        public Builder withCertificateAuthorityUpdateInterval(long j, TimeUnit timeUnit) {
            this.certificateAuthorityUpdateInterval = timeUnit.toMillis(j);
            return this;
        }

        public Builder withCrlCheckingMode(CrlCheckingMode crlCheckingMode) {
            this.crlCheckingMode = crlCheckingMode;
            return this;
        }

        public Builder withOcspCheckingMode(OCSPCheckingMode oCSPCheckingMode) {
            this.ocspCheckingMode = oCSPCheckingMode;
            return this;
        }

        public Builder withNamespaceMode(NamespaceCheckingMode namespaceCheckingMode) {
            this.namespaceMode = namespaceCheckingMode;
            return this;
        }

        public Builder withLazy(boolean z) {
            this.lazyMode = z;
            return this;
        }

        public Builder withKeyPath(Path path) {
            this.keyPath = path;
            return this;
        }

        public Builder withCertificatePath(Path path) {
            this.certificatePath = path;
            return this;
        }

        public Builder withCredentialUpdateInterval(long j, TimeUnit timeUnit) {
            this.credentialUpdateInterval = j;
            this.credentialUpdateIntervalUnit = timeUnit;
            return this;
        }

        public Builder withLoggingContext(Supplier<AutoCloseable> supplier) {
            this.loggingContextSupplier = supplier;
            return this;
        }

        public Builder withValidationCacheLifetime(long j) {
            this.validationCacheLifetime = j;
            return this;
        }

        public Builder withValidationCacheLifetime(long j, TimeUnit timeUnit) {
            this.validationCacheLifetime = timeUnit.toMillis(j);
            return this;
        }

        public CanlContextFactory build() {
            CachingCertificateValidator cachingCertificateValidator = new CachingCertificateValidator(new OpensslCertChainValidator(this.certificateAuthorityPath.toString(), true, this.namespaceMode, this.certificateAuthorityUpdateInterval, new ValidatorParams(new RevocationParameters(this.crlCheckingMode, new OCSPParametes(this.ocspCheckingMode)), ProxySupport.ALLOW), this.lazyMode), this.validationCacheLifetime);
            cachingCertificateValidator.addUpdateListener(new StoreUpdateListener() { // from class: org.dcache.ssl.CanlContextFactory.Builder.1
                public void loadingNotification(String str, String str2, StoreUpdateListener.Severity severity, Exception exc) {
                    try {
                        AutoCloseable autoCloseable = (AutoCloseable) Builder.this.loggingContextSupplier.get();
                        try {
                            switch (AnonymousClass2.$SwitchMap$eu$emi$security$authn$x509$StoreUpdateListener$Severity[severity.ordinal()]) {
                                case 1:
                                    if (exc == null) {
                                        CanlContextFactory.LOGGER.error("Error loading {} from {}.", str2, str);
                                        break;
                                    } else {
                                        CanlContextFactory.LOGGER.error("Error loading {} from {}: {}", new Object[]{str2, str, exc.getMessage()});
                                        break;
                                    }
                                case 2:
                                    if (exc == null) {
                                        CanlContextFactory.LOGGER.warn("Problem loading {} from {}.", str2, str);
                                        break;
                                    } else {
                                        CanlContextFactory.LOGGER.warn("Problem loading {} from {}: {}", new Object[]{str2, str, exc.getMessage()});
                                        break;
                                    }
                                case 3:
                                    CanlContextFactory.LOGGER.debug("Reloaded {} from {}.", str2, str);
                                    break;
                            }
                            if (autoCloseable != null) {
                                autoCloseable.close();
                            }
                        } finally {
                        }
                    } catch (Exception e) {
                        Throwables.throwIfUnchecked(e);
                        throw new RuntimeException(e);
                    }
                }
            });
            cachingCertificateValidator.addValidationListener(validationError -> {
                if (!CanlContextFactory.VALIDATION_ERRORS_TO_LOG.contains(validationError.getErrorCategory())) {
                    return false;
                }
                X509Certificate[] chain = validationError.getChain();
                CanlContextFactory.LOGGER.warn("The peer's certificate with DN {} was rejected: {}", (chain == null || chain.length <= 0) ? "" : chain[0].getSubjectX500Principal().getName(), validationError);
                return false;
            });
            return new CanlContextFactory(this.startTls, new SSLTrustManager(cachingCertificateValidator));
        }

        public <T> Callable<T> buildWithCaching(Class<T> cls) throws Exception {
            CanlContextFactory build = build();
            PEMCredential pEMCredential = new PEMCredential(this.keyPath.toString(), this.certificatePath.toString(), (char[]) null);
            return Callables.memoizeWithExpiration(Callables.memoizeFromFiles(() -> {
                return build.getContext(cls, pEMCredential);
            }, new Path[]{this.keyPath, this.certificatePath}), this.credentialUpdateInterval, this.credentialUpdateIntervalUnit);
        }
    }

    protected CanlContextFactory(boolean z, TrustManager... trustManagerArr) {
        this.startTls = z;
        this.trustManagers = trustManagerArr;
    }

    public static CanlContextFactory createDefault() {
        return new Builder().build();
    }

    public static Builder custom() {
        return new Builder();
    }

    public TrustManager[] getTrustManagers() {
        return this.trustManagers;
    }

    @Override // org.dcache.ssl.SslContextFactory
    public <T> T getContext(Class<T> cls, X509Credential x509Credential) throws GeneralSecurityException {
        if (cls.isAssignableFrom(SSLContext.class)) {
            return (T) getJavaSSLContext(x509Credential);
        }
        if (cls.isAssignableFrom(SslContext.class)) {
            return (T) getNettySslContext(x509Credential);
        }
        throw new GeneralSecurityException("cannot get SSL context of type " + cls);
    }

    private SSLContext getJavaSSLContext(X509Credential x509Credential) throws GeneralSecurityException {
        KeyManager[] keyManagerArr = x509Credential == null ? null : new KeyManager[]{x509Credential.getKeyManager()};
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(keyManagerArr, this.trustManagers, this.secureRandom);
        return sSLContext;
    }

    private SslContext getNettySslContext(X509Credential x509Credential) throws GeneralSecurityException {
        try {
            return (this.startTls ? SslContextBuilder.forServer(x509Credential == null ? null : x509Credential.getKeyManager()) : SslContextBuilder.forClient()).trustManager(this.trustManagers[0]).startTls(this.startTls).build();
        } catch (SSLException e) {
            throw new GeneralSecurityException("Could not get Netty SSL context: " + e.getMessage());
        }
    }
}
