package com.yahoo.security.tls;

import com.yahoo.security.SealedSharedKey;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509SslContext;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;

/* loaded from: input_file:com/yahoo/security/tls/DefaultTlsContext.class */
public class DefaultTlsContext implements TlsContext {
    private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName());
    private final X509SslContext sslContext;
    private final String[] validCiphers;
    private final String[] validProtocols;
    private final PeerAuthentication peerAuthentication;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yahoo.security.tls.DefaultTlsContext$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/security/tls/DefaultTlsContext$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$security$tls$PeerAuthentication = new int[PeerAuthentication.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$security$tls$PeerAuthentication[PeerAuthentication.WANT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$security$tls$PeerAuthentication[PeerAuthentication.NEED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$yahoo$security$tls$PeerAuthentication[PeerAuthentication.DISABLED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public static DefaultTlsContext of(X509SslContext x509SslContext, PeerAuthentication peerAuthentication) {
        return new DefaultTlsContext(x509SslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication);
    }

    public static DefaultTlsContext of(List<X509Certificate> list, PrivateKey privateKey, List<X509Certificate> list2, AuthorizedPeers authorizedPeers, AuthorizationMode authorizationMode, PeerAuthentication peerAuthentication, HostnameVerification hostnameVerification) {
        return of(createSslContext(list, privateKey, list2, authorizedPeers, authorizationMode, hostnameVerification), peerAuthentication);
    }

    public static DefaultTlsContext of(X509SslContext x509SslContext, Set<String> set, Set<String> set2, PeerAuthentication peerAuthentication) {
        return new DefaultTlsContext(x509SslContext, set, set2, peerAuthentication);
    }

    private DefaultTlsContext(X509SslContext x509SslContext, Set<String> set, Set<String> set2, PeerAuthentication peerAuthentication) {
        this.sslContext = x509SslContext;
        this.peerAuthentication = peerAuthentication;
        this.validCiphers = getAllowedCiphers(x509SslContext.context(), set);
        this.validProtocols = getAllowedProtocols(x509SslContext.context(), set2);
    }

    private static String[] getAllowedCiphers(SSLContext sSLContext, Set<String> set) {
        Set<String> allowedCipherSuites = TlsContext.getAllowedCipherSuites(sSLContext);
        Stream<String> stream = allowedCipherSuites.stream();
        Objects.requireNonNull(set);
        String[] strArr = (String[]) stream.filter((v1) -> {
            return r1.contains(v1);
        }).toArray(i -> {
            return new String[i];
        });
        if (strArr.length == 0) {
            throw new IllegalStateException(String.format("None of the accepted ciphers are supported (supported=%s, accepted=%s)", allowedCipherSuites, set));
        }
        log.log(Level.FINE, () -> {
            return String.format("Allowed cipher suites that are supported: %s", List.of((Object[]) strArr));
        });
        return strArr;
    }

    private static String[] getAllowedProtocols(SSLContext sSLContext, Set<String> set) {
        Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sSLContext);
        Stream<String> stream = allowedProtocols.stream();
        Objects.requireNonNull(set);
        String[] strArr = (String[]) stream.filter((v1) -> {
            return r1.contains(v1);
        }).toArray(i -> {
            return new String[i];
        });
        if (strArr.length == 0) {
            throw new IllegalStateException(String.format("None of the accepted protocols are supported (supported=%s, accepted=%s)", allowedProtocols, set));
        }
        log.log(Level.FINE, () -> {
            return String.format("Allowed protocols that are supported: %s", Arrays.toString(strArr));
        });
        return strArr;
    }

    @Override // com.yahoo.security.tls.TlsContext
    public X509SslContext sslContext() {
        return this.sslContext;
    }

    @Override // com.yahoo.security.tls.TlsContext
    public SSLParameters parameters() {
        return createSslParameters();
    }

    private SSLParameters createSslParameters() {
        SSLParameters defaultSSLParameters = this.sslContext.context().getDefaultSSLParameters();
        defaultSSLParameters.setCipherSuites(this.validCiphers);
        defaultSSLParameters.setProtocols(this.validProtocols);
        switch (AnonymousClass1.$SwitchMap$com$yahoo$security$tls$PeerAuthentication[this.peerAuthentication.ordinal()]) {
            case 1:
                defaultSSLParameters.setWantClientAuth(true);
                break;
            case SealedSharedKey.CURRENT_TOKEN_VERSION /* 2 */:
                defaultSSLParameters.setNeedClientAuth(true);
                break;
            case 3:
                break;
            default:
                throw new UnsupportedOperationException("Unknown peer authentication: " + this.peerAuthentication);
        }
        return defaultSSLParameters;
    }

    private static X509SslContext createSslContext(List<X509Certificate> list, PrivateKey privateKey, List<X509Certificate> list2, AuthorizedPeers authorizedPeers, AuthorizationMode authorizationMode, HostnameVerification hostnameVerification) {
        SslContextBuilder sslContextBuilder = new SslContextBuilder();
        if (!list.isEmpty()) {
            sslContextBuilder.withKeyStore(privateKey, list);
        }
        if (!list2.isEmpty()) {
            sslContextBuilder.withTrustStore(list2);
        }
        return sslContextBuilder.withTrustManagerFactory(keyStore -> {
            return new PeerAuthorizerTrustManager(authorizedPeers, authorizationMode, hostnameVerification, keyStore);
        }).buildContext();
    }
}
