package org.dcache.ssl;

import com.google.common.base.Predicates;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.util.Arrays;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.dcache.util.Args;
import org.dcache.util.Crypto;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/ssl/CanlSslSocketCreator.class */
public class CanlSslSocketCreator extends SocketFactory {
    private static final String SERVICE_KEY = "service_key";
    private static final String SERVICE_CERT = "service_cert";
    private static final String SERVICE_TRUSTED_CERTS = "service_trusted_certs";
    private static final String CIPHER_FLAGS = "ciphers";
    private static final String CRL_MODE = "crl-mode";
    private static final String OCSP_MODE = "ocsp-mode";
    private final Set<String> bannedCiphers;
    private final Callable<SSLContext> factory;
    private static final Logger LOGGER = LoggerFactory.getLogger(CanlSslSocketCreator.class);
    private static final Set<String> bannedProtocols = ImmutableSet.of("SSL", "SSLv2", "SSLv2Hello", "SSLv3");

    public CanlSslSocketCreator(String str) throws IOException {
        this(new Args(str));
    }

    public CanlSslSocketCreator(Args args) throws IOException {
        this(new File(args.getOption(SERVICE_KEY)), new File(args.getOption(SERVICE_CERT)), new File(args.getOption(SERVICE_TRUSTED_CERTS)), Crypto.getBannedCipherSuitesFromConfigurationValue(args.getOption(CIPHER_FLAGS)), CrlCheckingMode.valueOf(args.getOption(CRL_MODE)), OCSPCheckingMode.valueOf(args.getOption(OCSP_MODE)));
    }

    public CanlSslSocketCreator(File file, File file2, File file3, String[] strArr, CrlCheckingMode crlCheckingMode, OCSPCheckingMode oCSPCheckingMode) throws IOException {
        try {
            LOGGER.info("service_key {}", file);
            LOGGER.info("service_certs {}", file2);
            LOGGER.info("service_trusted_certs {}", file3);
            this.bannedCiphers = ImmutableSet.copyOf(strArr);
            this.factory = CanlContextFactory.custom().withCertificateAuthorityPath(file3.toPath()).withCrlCheckingMode(crlCheckingMode).withOcspCheckingMode(oCSPCheckingMode).withKeyPath(file.toPath()).withCertificatePath(file2.toPath()).withLazy(false).buildWithCaching(SSLContext.class);
            this.factory.call();
        } catch (Exception e) {
            Throwables.propagateIfPossible(e, IOException.class);
            throw new IOException("Failed to create CanlSslSocketCreator: " + e.getMessage(), e);
        }
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket() throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket();
        setCipherSuiteAndProtocol(sSLSocket);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(str, i);
        setCipherSuiteAndProtocol(sSLSocket);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(str, i, inetAddress, i2);
        setCipherSuiteAndProtocol(sSLSocket);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(inetAddress, i);
        setCipherSuiteAndProtocol(sSLSocket);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(inetAddress, i, inetAddress2, i2);
        setCipherSuiteAndProtocol(sSLSocket);
        return sSLSocket;
    }

    private void setCipherSuiteAndProtocol(SSLSocket sSLSocket) {
        String[] strArr = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLSocket.getSupportedCipherSuites()), Predicates.not(Predicates.in(this.bannedCiphers))), String.class);
        String[] strArr2 = (String[]) Iterables.toArray(Iterables.filter(Arrays.asList(sSLSocket.getSupportedProtocols()), Predicates.not(Predicates.in(bannedProtocols))), String.class);
        sSLSocket.setEnabledCipherSuites(strArr);
        sSLSocket.setEnabledProtocols(strArr2);
        sSLSocket.setUseClientMode(true);
    }

    public SSLSocketFactory getSocketFactory() throws IOException {
        try {
            return this.factory.call().getSocketFactory();
        } catch (Exception e) {
            Throwables.propagateIfPossible(e, IOException.class);
            throw new IOException("Failed to create SSL Server Socket Factory: " + e.getMessage(), e);
        }
    }
}
