package org.apache.james.protocols.lib;

import com.github.fge.lambdas.Throwing;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathBuilder;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.util.EnumSet;
import java.util.Optional;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLContext;
import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.pem.util.PemUtils;
import nl.altindag.ssl.trustmanager.trustoptions.TrustStoreTrustOptions;
import org.apache.james.filesystem.api.FileSystem;
import org.apache.james.protocols.lib.netty.AbstractConfigurableAsyncServer;
import org.apache.james.protocols.netty.Encryption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.class */
public class LegacyJavaEncryptionFactory implements Encryption.Factory {
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractConfigurableAsyncServer.class);
    private final FileSystem fileSystem;
    private final SslConfig sslConfig;

    public LegacyJavaEncryptionFactory(FileSystem fileSystem, SslConfig sslConfig) {
        this.fileSystem = fileSystem;
        this.sslConfig = sslConfig;
    }

    public Encryption create() throws Exception {
        SSLFactory.Builder withSslContextAlgorithm = SSLFactory.builder().withSslContextAlgorithm("TLS");
        if (this.sslConfig.getKeystore() != null) {
            char[] charArray = ((String) Optional.ofNullable(this.sslConfig.getSecret()).orElse("")).toCharArray();
            LOGGER.debug("Building SSL config for keystore({}) at {}", this.sslConfig.getKeystoreType(), this.fileSystem.getFile(this.sslConfig.getKeystore()).toPath().toAbsolutePath());
            withSslContextAlgorithm.withIdentityMaterial(this.fileSystem.getFile(this.sslConfig.getKeystore()).toPath(), charArray, charArray, this.sslConfig.getKeystoreType());
        } else {
            withSslContextAlgorithm.withIdentityMaterial(PemUtils.loadIdentityMaterial(this.fileSystem.getResource(this.sslConfig.getCertificates()), this.fileSystem.getResource(this.sslConfig.getPrivateKey()), (char[]) Optional.ofNullable(this.sslConfig.getSecret()).map((v0) -> {
                return v0.toCharArray();
            }).orElse(null)));
        }
        if (this.sslConfig.getClientAuth() != null && this.sslConfig.getTruststore() != null) {
            clientAuthTrustOptions(this.sslConfig).ifPresentOrElse(Throwing.consumer(trustStoreTrustOptions -> {
                withSslContextAlgorithm.withTrustMaterial(this.fileSystem.getFile(this.sslConfig.getTruststore()).toPath(), this.sslConfig.getTruststoreSecret(), this.sslConfig.getTruststoreType(), trustStoreTrustOptions);
            }).sneakyThrow(), Throwing.runnable(() -> {
                withSslContextAlgorithm.withTrustMaterial(this.fileSystem.getFile(this.sslConfig.getTruststore()).toPath(), this.sslConfig.getTruststoreSecret(), this.sslConfig.getTruststoreType());
            }));
        }
        SSLContext sslContext = withSslContextAlgorithm.build().getSslContext();
        return this.sslConfig.useStartTLS() ? Encryption.createStartTls(sslContext, this.sslConfig.getEnabledCipherSuites(), this.sslConfig.getEnabledProtocols(), this.sslConfig.getClientAuth()) : Encryption.createTls(sslContext, this.sslConfig.getEnabledCipherSuites(), this.sslConfig.getEnabledProtocols(), this.sslConfig.getClientAuth());
    }

    private Optional<TrustStoreTrustOptions<? extends CertPathTrustManagerParameters>> clientAuthTrustOptions(SslConfig sslConfig) throws NoSuchAlgorithmException {
        if (!sslConfig.ocspCRLChecksEnabled()) {
            return Optional.empty();
        }
        PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance("PKIX").getRevocationChecker();
        pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
        return Optional.of(keyStore -> {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            return new CertPathTrustManagerParameters(pKIXBuilderParameters);
        });
    }
}
