package org.dcache.dss;

import com.google.common.base.Predicates;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.SslContext;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.dcache.gsi.KeyPairCache;
import org.dcache.gsi.ServerGsiEngine;
import org.dcache.ssl.CanlContextFactory;
import org.dcache.util.Args;
import org.dcache.util.CertificateFactories;
import org.dcache.util.Crypto;

/* loaded from: input_file:org/dcache/dss/ServerGsiEngineDssContextFactory.class */
public class ServerGsiEngineDssContextFactory implements DssContextFactory {
    private static final String SERVICE_KEY = "service_key";
    private static final String SERVICE_CERT = "service_cert";
    private static final String SERVICE_TRUSTED_CERTS = "service_trusted_certs";
    private static final String CIPHER_FLAGS = "ciphers";
    private static final String NAMESPACE_MODE = "namespace-mode";
    private static final String CRL_MODE = "crl-mode";
    private static final String OCSP_MODE = "ocsp-mode";
    private static final String KEY_CACHE_LIFETIME = "key-cache-lifetime";
    private static final String KEY_CACHE_LIFETIME_UNIT = "key-cache-lifetime-unit";
    private final CertificateFactory cf;
    private final Set<String> bannedCiphers;
    private final Set<String> bannedProtocols;
    private final Callable<SslContext> factory;
    private final KeyPairCache keyPairCache;

    public ServerGsiEngineDssContextFactory(String str) throws Exception {
        this(new Args(str));
    }

    public ServerGsiEngineDssContextFactory(Args args) throws Exception {
        this(new File(args.getOption(SERVICE_KEY)), new File(args.getOption(SERVICE_CERT)), new File(args.getOption(SERVICE_TRUSTED_CERTS)), Crypto.getBannedCipherSuitesFromConfigurationValue(args.getOption(CIPHER_FLAGS)), NamespaceCheckingMode.valueOf(args.getOption(NAMESPACE_MODE)), CrlCheckingMode.valueOf(args.getOption(CRL_MODE)), OCSPCheckingMode.valueOf(args.getOption(OCSP_MODE)), args.getLongOption(KEY_CACHE_LIFETIME), TimeUnit.valueOf(args.getOption(KEY_CACHE_LIFETIME_UNIT)));
    }

    public ServerGsiEngineDssContextFactory(File file, File file2, File file3, String[] strArr, NamespaceCheckingMode namespaceCheckingMode, CrlCheckingMode crlCheckingMode, OCSPCheckingMode oCSPCheckingMode, long j, TimeUnit timeUnit) throws Exception {
        this.cf = CertificateFactories.newX509CertificateFactory();
        this.bannedCiphers = ImmutableSet.copyOf(strArr);
        this.bannedProtocols = ImmutableSet.of("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        this.keyPairCache = new KeyPairCache(j, timeUnit);
        this.factory = CanlContextFactory.custom().withCertificateAuthorityPath(file3.toPath()).withCrlCheckingMode(crlCheckingMode).withOcspCheckingMode(oCSPCheckingMode).withNamespaceMode(namespaceCheckingMode).withLazy(false).withKeyPath(file.toPath()).withCertificatePath(file2.toPath()).buildWithCaching(SslContext.class);
        this.factory.call();
    }

    @Override // org.dcache.dss.DssContextFactory
    public DssContext create(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2) throws IOException {
        try {
            SSLEngine newEngine = this.factory.call().newEngine(ByteBufAllocator.DEFAULT, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
            SSLParameters sSLParameters = newEngine.getSSLParameters();
            String[] strArr = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLParameters.getCipherSuites()), Predicates.not(Predicates.in(this.bannedCiphers))), String.class);
            String[] strArr2 = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLParameters.getProtocols()), Predicates.not(Predicates.in(this.bannedProtocols))), String.class);
            sSLParameters.setCipherSuites(strArr);
            sSLParameters.setProtocols(strArr2);
            sSLParameters.setWantClientAuth(true);
            sSLParameters.setNeedClientAuth(true);
            newEngine.setSSLParameters(sSLParameters);
            ServerGsiEngine serverGsiEngine = new ServerGsiEngine(newEngine, this.cf);
            serverGsiEngine.setKeyPairCache(this.keyPairCache);
            serverGsiEngine.setUsingLegacyClose(true);
            return new SslEngineDssContext(serverGsiEngine, this.cf);
        } catch (Exception e) {
            Throwables.propagateIfPossible(e, IOException.class);
            throw new IOException("Failed to create SSL engine: " + e.getMessage(), e);
        }
    }
}
