package io.gravitee.node.certificates;

import io.gravitee.common.util.KeyStoreUtils;
import java.net.Socket;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/node/certificates/ReloadableKeyManager.class */
public class ReloadableKeyManager extends X509ExtendedKeyManager {
    private static final Logger logger = LoggerFactory.getLogger(ReloadableKeyManager.class);
    static final int MAX_SNI_DOMAINS = 10000;
    private String defaultAlias;
    private Map<String, String> sniDomainAliases;
    private volatile X509ExtendedKeyManager delegate;
    private boolean enableSni;

    public void load(String str, KeyStore keyStore, String str2, boolean z) {
        try {
            this.enableSni = z;
            if (str == null) {
                str = KeyStoreUtils.getDefaultAlias(keyStore);
            } else if (!keyStore.containsAlias(str)) {
                throw new IllegalArgumentException(String.format("Unable to load keystore, default alias [%s] not present in the keystore.", str));
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, KeyStoreUtils.passwordToCharArray(str2));
            this.defaultAlias = str;
            if (z) {
                this.sniDomainAliases = new ConcurrentHashMap(KeyStoreUtils.getCommonNamesByAlias(keyStore));
            }
            this.delegate = (X509ExtendedKeyManager) keyManagerFactory.getKeyManagers()[0];
            logger.info("Key store has been (re)loaded with {} entries.", Integer.valueOf(keyStore.size()));
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to load keystore", e);
        }
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        if (!this.enableSni) {
            return this.defaultAlias;
        }
        Optional findFirst = ((ExtendedSSLSession) sSLEngine.getHandshakeSession()).getRequestedServerNames().stream().filter(sNIServerName -> {
            return sNIServerName.getType() == 0;
        }).map(sNIServerName2 -> {
            return ((SNIHostName) sNIServerName2).getAsciiName();
        }).findFirst();
        if (!findFirst.isPresent()) {
            return this.defaultAlias;
        }
        String str2 = (String) findFirst.get();
        if (this.sniDomainAliases.containsKey(str2)) {
            return this.sniDomainAliases.get(str2);
        }
        Optional<Map.Entry<String, String>> findFirst2 = this.sniDomainAliases.entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith("*.");
        }).filter(entry2 -> {
            return str2.endsWith(((String) entry2.getKey()).substring(2));
        }).findFirst();
        if (!findFirst2.isPresent()) {
            cacheSniDomainAlias(str2, this.defaultAlias);
            return this.defaultAlias;
        }
        String value = findFirst2.get().getValue();
        cacheSniDomainAlias(str2, value);
        return value;
    }

    private void cacheSniDomainAlias(String str, String str2) {
        if (this.sniDomainAliases.size() < MAX_SNI_DOMAINS) {
            this.sniDomainAliases.put(str, str2);
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        if (this.delegate != null) {
            return this.delegate.getServerAliases(str, principalArr);
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        if (this.delegate != null) {
            return this.delegate.getCertificateChain(str);
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        if (this.delegate != null) {
            return this.delegate.getPrivateKey(str);
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        if (this.delegate != null) {
            return this.delegate.getClientAliases(str, principalArr);
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        if (this.delegate != null) {
            return this.delegate.chooseClientAlias(strArr, principalArr, socket);
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        if (this.delegate != null) {
            return this.delegate.chooseServerAlias(str, principalArr, socket);
        }
        return null;
    }

    Map<String, String> getSniDomainAliases() {
        return this.sniDomainAliases;
    }

    void setSniDomainAliases(Map<String, String> map) {
        this.sniDomainAliases = map;
    }
}
