package com.gitlab.credit_reference_platform.crp.gateway.ssl.customizer;

import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.enum_type.SecretSubType;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService;
import com.gitlab.credit_reference_platform.crp.gateway.certificate.CertificateGeneratorBuilder;
import com.gitlab.credit_reference_platform.crp.gateway.certificate.CertificateGeneratorException;
import com.gitlab.credit_reference_platform.crp.gateway.exception.ServiceException;
import com.gitlab.vincenthung.commons.security.keystore.factory.KeyStoreFactory;
import com.gitlab.vincenthung.commons.security.keystore.factory.KeyStoreFactoryException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import org.apache.catalina.connector.Connector;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.sshd.common.channel.PtyChannelConfigurationHolder;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;

@Component
/* loaded from: input_file:BOOT-INF/classes/com/gitlab/credit_reference_platform/crp/gateway/ssl/customizer/CRPGatewayConnectorCustomizer.class */
public class CRPGatewayConnectorCustomizer implements TomcatConnectorCustomizer {

    @Autowired
    private ICertificateSecretService certificateSecretService;

    @Value("${server.port:443}")
    private int port;

    @Override // org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer
    public void customize(Connector connector) {
        ProtocolHandler protocolHandler = connector.getProtocolHandler();
        Assert.state(protocolHandler instanceof AbstractHttp11JsseProtocol, "To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass");
        AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol = (AbstractHttp11JsseProtocol) protocolHandler;
        try {
            updateSSLHostConfig(abstractHttp11JsseProtocol);
            connector.setScheme("https");
            connector.setSecure(true);
            connector.setPort(this.port);
            abstractHttp11JsseProtocol.setSSLEnabled(true);
        } catch (CertificateGeneratorException e) {
            throw new IllegalStateException("Failed to generate Gateway private key pair", e);
        } catch (ServiceException e2) {
            throw new IllegalStateException("Failed to obtain the CRP certificates / Gateway private key from database", e2);
        } catch (KeyStoreFactoryException e3) {
            throw new IllegalStateException("Failed to load CRP certificates / Gateway private key to KeyStoreFactory", e3);
        }
    }

    private void updateSSLHostConfig(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol) throws ServiceException, KeyStoreFactoryException, CertificateGeneratorException {
        SSLHostConfig sSLHostConfig;
        SSLHostConfig[] findSslHostConfigs = abstractHttp11JsseProtocol.findSslHostConfigs();
        if (findSslHostConfigs.length == 0) {
            sSLHostConfig = new SSLHostConfig();
            sSLHostConfig.setHostName(abstractHttp11JsseProtocol.getDefaultSSLHostConfigName());
            abstractHttp11JsseProtocol.addSslHostConfig(sSLHostConfig);
        } else {
            sSLHostConfig = findSslHostConfigs[0];
        }
        sSLHostConfig.addCertificate(getSSLHostConfigCertificate(sSLHostConfig, SSLHostConfigCertificate.Type.RSA));
        sSLHostConfig.setSslProtocol("TLSv1.2");
        sSLHostConfig.setTrustStore(getTrustStore());
    }

    private SSLHostConfigCertificate getSSLHostConfigCertificate(SSLHostConfig sSLHostConfig, SSLHostConfigCertificate.Type type) throws ServiceException, KeyStoreFactoryException, CertificateGeneratorException {
        KeyStore.PrivateKeyEntry activePrivateKeyEntry = this.certificateSecretService.getActivePrivateKeyEntry(SecretSubType.GATEWAY_SERVER_CERTIFICATE);
        if (activePrivateKeyEntry == null) {
            activePrivateKeyEntry = new CertificateGeneratorBuilder().build().generateSelfSignedCertificate();
        }
        KeyStoreFactory init = KeyStoreFactory.init(null, null, null);
        init.addPrivateKeyWithCertificate(activePrivateKeyEntry.getPrivateKey(), activePrivateKeyEntry.getCertificateChain(), "crp-gateway", PtyChannelConfigurationHolder.DUMMY_PTY_TYPE.toCharArray(), true);
        SSLHostConfigCertificate sSLHostConfigCertificate = new SSLHostConfigCertificate(sSLHostConfig, type);
        sSLHostConfigCertificate.setCertificateKeystore(init.getKeyStore());
        sSLHostConfigCertificate.setCertificateKeyAlias("crp-gateway");
        sSLHostConfigCertificate.setCertificateKeyPassword(PtyChannelConfigurationHolder.DUMMY_PTY_TYPE);
        return sSLHostConfigCertificate;
    }

    private KeyStore getTrustStore() throws ServiceException, KeyStoreFactoryException {
        List<X509Certificate> activeCertificates = this.certificateSecretService.getActiveCertificates(SecretSubType.CRP_SERVER_CERTIFICATE);
        if (activeCertificates == null || activeCertificates.isEmpty()) {
            return null;
        }
        KeyStoreFactory init = KeyStoreFactory.init(null, null, null);
        for (int i = 0; i < activeCertificates.size(); i++) {
            init.addTrustedCertificate((Certificate) activeCertificates.get(i), "crp" + i, true);
        }
        return init.getKeyStore();
    }
}
