package io.quarkus.tls.runtime;

import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.tls.TlsConfiguration;
import io.quarkus.tls.TlsConfigurationRegistry;
import io.quarkus.tls.runtime.config.KeyStoreConfig;
import io.quarkus.tls.runtime.config.TlsBucketConfig;
import io.quarkus.tls.runtime.config.TlsConfig;
import io.quarkus.tls.runtime.config.TrustStoreConfig;
import io.quarkus.tls.runtime.keystores.JKSKeyStores;
import io.quarkus.tls.runtime.keystores.P12KeyStores;
import io.quarkus.tls.runtime.keystores.PemKeyStores;
import io.quarkus.tls.runtime.keystores.TrustAllOptions;
import io.vertx.core.Vertx;
import java.security.KeyStoreException;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;

@Recorder
/* loaded from: input_file:io/quarkus/tls/runtime/CertificateRecorder.class */
public class CertificateRecorder implements TlsConfigurationRegistry {
    private final Map<String, TlsConfiguration> certificates = new ConcurrentHashMap();

    public void validateCertificates(TlsConfig tlsConfig, RuntimeValue<Vertx> runtimeValue) {
        if (tlsConfig.defaultCertificateConfig().isPresent()) {
            verifyCertificateConfig(tlsConfig.defaultCertificateConfig().get(), (Vertx) runtimeValue.getValue(), TlsConfig.DEFAULT_NAME);
        }
        for (String str : tlsConfig.namedCertificateConfig().keySet()) {
            verifyCertificateConfig(tlsConfig.namedCertificateConfig().get(str), (Vertx) runtimeValue.getValue(), str);
        }
    }

    public void verifyCertificateConfig(TlsBucketConfig tlsBucketConfig, Vertx vertx, String str) {
        KeyStoreAndKeyCertOptions keyStoreAndKeyCertOptions = null;
        if (tlsBucketConfig.keyStore().isPresent()) {
            KeyStoreConfig keyStoreConfig = tlsBucketConfig.keyStore().get();
            keyStoreAndKeyCertOptions = verifyKeyStore(keyStoreConfig, vertx, str);
            if (keyStoreConfig.sni()) {
                try {
                    if (Collections.list(keyStoreAndKeyCertOptions.keyStore.aliases()).size() <= 1) {
                        throw new IllegalStateException("The SNI option cannot be used when the keystore contains only one alias or the `alias` property has been set");
                    }
                } catch (KeyStoreException e) {
                    throw new RuntimeException(e);
                }
            }
        }
        TrustStoreAndTrustOptions trustStoreAndTrustOptions = null;
        if (tlsBucketConfig.trustStore().isPresent()) {
            trustStoreAndTrustOptions = verifyTrustStore(tlsBucketConfig.trustStore().get(), vertx, str);
        }
        if (tlsBucketConfig.trustAll() && trustStoreAndTrustOptions != null) {
            throw new IllegalStateException("The trust-all option cannot be used when a trust-store is configured");
        }
        if (tlsBucketConfig.trustAll()) {
            trustStoreAndTrustOptions = new TrustStoreAndTrustOptions(null, TrustAllOptions.INSTANCE);
        }
        this.certificates.put(str, new VertxCertificateHolder(vertx, str, tlsBucketConfig, keyStoreAndKeyCertOptions, trustStoreAndTrustOptions));
    }

    public static KeyStoreAndKeyCertOptions verifyKeyStore(KeyStoreConfig keyStoreConfig, Vertx vertx, String str) {
        keyStoreConfig.validate(str);
        if (keyStoreConfig.pem().isPresent()) {
            return PemKeyStores.verifyPEMKeyStore(keyStoreConfig, vertx, str);
        }
        if (keyStoreConfig.p12().isPresent()) {
            return P12KeyStores.verifyP12KeyStore(keyStoreConfig, vertx, str);
        }
        if (keyStoreConfig.jks().isPresent()) {
            return JKSKeyStores.verifyJKSKeyStore(keyStoreConfig, vertx, str);
        }
        return null;
    }

    public static TrustStoreAndTrustOptions verifyTrustStore(TrustStoreConfig trustStoreConfig, Vertx vertx, String str) {
        trustStoreConfig.validate(str);
        if (trustStoreConfig.pem().isPresent()) {
            return PemKeyStores.verifyPEMTrustStoreStore(trustStoreConfig, vertx, str);
        }
        if (trustStoreConfig.p12().isPresent()) {
            return P12KeyStores.verifyP12TrustStoreStore(trustStoreConfig, vertx, str);
        }
        if (trustStoreConfig.jks().isPresent()) {
            return JKSKeyStores.verifyJKSTrustStoreStore(trustStoreConfig, vertx, str);
        }
        return null;
    }

    @Override // io.quarkus.tls.TlsConfigurationRegistry
    public Optional<TlsConfiguration> get(String str) {
        return Optional.ofNullable(this.certificates.get(str));
    }

    @Override // io.quarkus.tls.TlsConfigurationRegistry
    public Optional<TlsConfiguration> getDefault() {
        return get(TlsConfig.DEFAULT_NAME);
    }

    @Override // io.quarkus.tls.TlsConfigurationRegistry
    public void register(String str, TlsConfiguration tlsConfiguration) {
        if (str == null) {
            throw new IllegalArgumentException("The name of the TLS configuration to register cannot be null");
        }
        if (str.equals(TlsConfig.DEFAULT_NAME)) {
            throw new IllegalArgumentException("The name of the TLS configuration to register cannot be <default>");
        }
        if (tlsConfiguration == null) {
            throw new IllegalArgumentException("The TLS configuration to register cannot be null");
        }
        this.certificates.put(str, tlsConfiguration);
    }

    public Supplier<TlsConfigurationRegistry> getSupplier() {
        return new Supplier<TlsConfigurationRegistry>() { // from class: io.quarkus.tls.runtime.CertificateRecorder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public TlsConfigurationRegistry get() {
                return CertificateRecorder.this;
            }
        };
    }

    public void register(String str, Supplier<TlsConfiguration> supplier) {
        register(str, supplier.get());
    }
}
