package com.yahoo.security.tls;

import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
import com.yahoo.security.tls.policy.AuthorizedPeers;
import com.yahoo.security.tls.policy.PeerPolicy;
import com.yahoo.vespa.jdk8compat.Set;
import java.lang.ref.WeakReference;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;

/* loaded from: input_file:com/yahoo/security/tls/ConfigFileBasedTlsContext.class */
public class ConfigFileBasedTlsContext implements TlsContext {
    private final TlsContext tlsContext;
    private TlsManager tlsManager;
    private static final Map<Path, WeakReference<TlsManager>> trustManagers = new HashMap();

    private static TlsManager getOrCreateTrustManager(Path path) {
        TlsManager tlsManager;
        synchronized (trustManagers) {
            WeakReference<TlsManager> weakReference = trustManagers.get(path);
            TlsManager tlsManager2 = null;
            if (weakReference != null) {
                tlsManager2 = weakReference.get();
            }
            if (tlsManager2 == null) {
                tlsManager2 = new TlsManager(path);
                trustManagers.put(path, new WeakReference<>(tlsManager2));
            }
            tlsManager2.addRef();
            tlsManager = tlsManager2;
        }
        return tlsManager;
    }

    public ConfigFileBasedTlsContext(Path path, AuthorizationMode authorizationMode) {
        this(path, authorizationMode, PeerAuthentication.NEED);
    }

    public ConfigFileBasedTlsContext(Path path, AuthorizationMode authorizationMode, PeerAuthentication peerAuthentication) {
        this.tlsManager = getOrCreateTrustManager(path);
        this.tlsContext = createDefaultTlsContext(this.tlsManager.getOptions(), authorizationMode, this.tlsManager.getTrustManager(), this.tlsManager.getKeyManager(), peerAuthentication);
    }

    @Override // com.yahoo.security.tls.TlsContext
    public SSLContext context() {
        return this.tlsContext.context();
    }

    @Override // com.yahoo.security.tls.TlsContext
    public SSLParameters parameters() {
        return this.tlsContext.parameters();
    }

    @Override // com.yahoo.security.tls.TlsContext
    public SSLEngine createSslEngine() {
        return this.tlsContext.createSslEngine();
    }

    @Override // com.yahoo.security.tls.TlsContext
    public SSLEngine createSslEngine(String str, int i) {
        return this.tlsContext.createSslEngine(str, i);
    }

    @Override // com.yahoo.security.tls.TlsContext, java.lang.AutoCloseable
    public void close() {
        synchronized (trustManagers) {
            if (this.tlsManager.subRef() == 0) {
                this.tlsManager.close();
                trustManagers.remove(this.tlsManager.getTlsConfigFile());
            }
        }
    }

    private static DefaultTlsContext createDefaultTlsContext(TransportSecurityOptions transportSecurityOptions, AuthorizationMode authorizationMode, MutableX509TrustManager mutableX509TrustManager, MutableX509KeyManager mutableX509KeyManager, PeerAuthentication peerAuthentication) {
        HostnameVerification hostnameVerification = transportSecurityOptions.isHostnameValidationDisabled() ? HostnameVerification.DISABLED : HostnameVerification.ENABLED;
        SSLContext build = new SslContextBuilder().withKeyManager(mutableX509KeyManager).withTrustManager((PeerAuthorizerTrustManager) transportSecurityOptions.getAuthorizedPeers().map(authorizedPeers -> {
            return new PeerAuthorizerTrustManager(authorizedPeers, authorizationMode, hostnameVerification, mutableX509TrustManager);
        }).orElseGet(() -> {
            return new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of(new PeerPolicy[0])), AuthorizationMode.DISABLE, hostnameVerification, mutableX509TrustManager);
        })).build();
        List<String> acceptedCiphers = transportSecurityOptions.getAcceptedCiphers();
        return new DefaultTlsContext(build, acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet(acceptedCiphers), peerAuthentication);
    }
}
