package com.hivemq.security.ssl;

import com.hivemq.bootstrap.ioc.lazysingleton.LazySingleton;
import com.hivemq.configuration.service.entity.Tls;
import com.hivemq.extension.sdk.api.annotations.NotNull;
import com.hivemq.security.exception.SslException;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import java.util.List;
import javax.net.ssl.SSLException;

@LazySingleton
/* loaded from: input_file:com/hivemq/security/ssl/SslContextFactory.class */
public class SslContextFactory {
    @NotNull
    public SslContext createSslContext(@NotNull Tls tls) {
        try {
            SslContextBuilder clientAuth = SslContextBuilder.forServer(SslUtil.getKeyManagerFactory(tls)).sslProvider(SslProvider.JDK).trustManager(SslUtil.getTrustManagerFactory(tls)).clientAuth(toClientAuth(tls.getClientAuthMode()));
            if (!tls.getProtocols().isEmpty()) {
                clientAuth.protocols(tls.getProtocols());
            }
            List<String> cipherSuites = tls.getCipherSuites();
            if (cipherSuites == null || cipherSuites.isEmpty()) {
                clientAuth.ciphers((Iterable) null, SupportedCipherSuiteFilter.INSTANCE);
            } else {
                clientAuth.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
            }
            return clientAuth.build();
        } catch (SSLException e) {
            throw new SslException("Not able to create SSL server context", e);
        }
    }

    @NotNull
    private static ClientAuth toClientAuth(@NotNull Tls.ClientAuthMode clientAuthMode) {
        switch (clientAuthMode) {
            case NONE:
                return ClientAuth.NONE;
            case OPTIONAL:
                return ClientAuth.OPTIONAL;
            case REQUIRED:
                return ClientAuth.REQUIRE;
            default:
                throw new SslException("Invalid auth mode: " + clientAuthMode);
        }
    }
}
