package org.dcache.ssl;

import com.google.common.base.Predicates;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.util.Arrays;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import org.dcache.util.Args;
import org.dcache.util.Crypto;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/ssl/CanlSslServerSocketCreator.class */
public class CanlSslServerSocketCreator extends ServerSocketFactory {
    private static final String SERVICE_KEY = "service_key";
    private static final String SERVICE_CERT = "service_cert";
    private static final String SERVICE_TRUSTED_CERTS = "service_trusted_certs";
    private static final String CIPHER_FLAGS = "ciphers";
    private static final String CRL_MODE = "crl-mode";
    private static final String OCSP_MODE = "ocsp-mode";
    private final Set<String> bannedCiphers;
    private final Callable<SSLContext> factory;
    private static final Logger LOGGER = LoggerFactory.getLogger(CanlSslServerSocketCreator.class);
    private static final Set<String> bannedProtocols = ImmutableSet.of("SSL", "SSLv2", "SSLv2Hello", "SSLv3");

    public CanlSslServerSocketCreator(String str) throws IOException {
        this(new Args(str));
    }

    public CanlSslServerSocketCreator(Args args) throws IOException {
        this(new File(args.getOption(SERVICE_KEY)), new File(args.getOption(SERVICE_CERT)), new File(args.getOption(SERVICE_TRUSTED_CERTS)), Crypto.getBannedCipherSuitesFromConfigurationValue(args.getOption(CIPHER_FLAGS)), CrlCheckingMode.valueOf(args.getOption(CRL_MODE)), OCSPCheckingMode.valueOf(args.getOption(OCSP_MODE)));
    }

    public CanlSslServerSocketCreator(File file, File file2, File file3, String[] strArr, CrlCheckingMode crlCheckingMode, OCSPCheckingMode oCSPCheckingMode) throws IOException {
        try {
            LOGGER.info("service_key {}", file);
            LOGGER.info("service_certs {}", file2);
            LOGGER.info("service_trusted_certs {}", file3);
            this.bannedCiphers = ImmutableSet.copyOf(strArr);
            this.factory = CanlContextFactory.custom().withCertificateAuthorityPath(file3.toPath()).withCrlCheckingMode(crlCheckingMode).withOcspCheckingMode(oCSPCheckingMode).withKeyPath(file.toPath()).withCertificatePath(file2.toPath()).withLazy(false).buildWithCaching(SSLContext.class);
            this.factory.call();
        } catch (Exception e) {
            Throwables.propagateIfPossible(e, IOException.class);
            throw new IOException("Failed to create CanlSslServerSocketCreator: " + e.getMessage(), e);
        }
    }

    @Override // javax.net.ServerSocketFactory
    public ServerSocket createServerSocket(int i) throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) getServerSocketFactory().createServerSocket(i);
        setCipherSuiteAndProtocol(sSLServerSocket);
        return sSLServerSocket;
    }

    @Override // javax.net.ServerSocketFactory
    public ServerSocket createServerSocket() throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) getServerSocketFactory().createServerSocket();
        setCipherSuiteAndProtocol(sSLServerSocket);
        return sSLServerSocket;
    }

    @Override // javax.net.ServerSocketFactory
    public ServerSocket createServerSocket(int i, int i2) throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) getServerSocketFactory().createServerSocket(i, i2);
        setCipherSuiteAndProtocol(sSLServerSocket);
        return sSLServerSocket;
    }

    @Override // javax.net.ServerSocketFactory
    public ServerSocket createServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) getServerSocketFactory().createServerSocket(i, i2, inetAddress);
        setCipherSuiteAndProtocol(sSLServerSocket);
        return sSLServerSocket;
    }

    public SSLServerSocketFactory getServerSocketFactory() throws IOException {
        try {
            return this.factory.call().getServerSocketFactory();
        } catch (Exception e) {
            Throwables.propagateIfPossible(e, IOException.class);
            throw new IOException("Failed to create SSL Server Socket Factory: " + e.getMessage(), e);
        }
    }

    private void setCipherSuiteAndProtocol(SSLServerSocket sSLServerSocket) {
        String[] strArr = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLServerSocket.getSupportedCipherSuites()), Predicates.not(Predicates.in(this.bannedCiphers))), String.class);
        String[] strArr2 = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLServerSocket.getSupportedProtocols()), Predicates.not(Predicates.in(bannedProtocols))), String.class);
        sSLServerSocket.setEnabledCipherSuites(strArr);
        sSLServerSocket.setEnabledProtocols(strArr2);
        sSLServerSocket.setWantClientAuth(true);
        sSLServerSocket.setUseClientMode(false);
    }
}
