package org.opendaylight.netconf.transport.tls;

import com.google.common.util.concurrent.ListenableFuture;
import io.netty.bootstrap.Bootstrap;
import io.netty.bootstrap.ServerBootstrap;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import javax.net.ssl.TrustManagerFactory;
import org.opendaylight.netconf.transport.api.TransportChannelListener;
import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
import org.opendaylight.netconf.transport.tcp.TCPClient;
import org.opendaylight.netconf.transport.tcp.TCPServer;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.TlsServerGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.ClientAuthentication;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.ServerIdentity;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.AuthType;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.Certificate;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.RawPrivateKey;

/* loaded from: input_file:org/opendaylight/netconf/transport/tls/TLSServer.class */
public final class TLSServer extends TLSTransportStack {
    private TLSServer(TransportChannelListener transportChannelListener, SslContext sslContext) {
        super(transportChannelListener, sslContext);
    }

    public static ListenableFuture<TLSServer> connect(TransportChannelListener transportChannelListener, Bootstrap bootstrap, TcpClientGrouping tcpClientGrouping, TlsServerGrouping tlsServerGrouping) throws UnsupportedConfigurationException {
        TLSServer newServer = newServer(transportChannelListener, tlsServerGrouping);
        return transformUnderlay(newServer, TCPClient.connect(newServer.asListener(), bootstrap, tcpClientGrouping));
    }

    public static ListenableFuture<TLSServer> listen(TransportChannelListener transportChannelListener, ServerBootstrap serverBootstrap, TcpServerGrouping tcpServerGrouping, TlsServerGrouping tlsServerGrouping) throws UnsupportedConfigurationException {
        TLSServer newServer = newServer(transportChannelListener, tlsServerGrouping);
        return transformUnderlay(newServer, TCPServer.listen(newServer.asListener(), serverBootstrap, tcpServerGrouping));
    }

    private static TLSServer newServer(TransportChannelListener transportChannelListener, TlsServerGrouping tlsServerGrouping) throws UnsupportedConfigurationException {
        SslContextBuilder forServer;
        ServerIdentity serverIdentity = tlsServerGrouping.getServerIdentity();
        if (serverIdentity == null) {
            throw new UnsupportedConfigurationException("Missing server identity");
        }
        AuthType authType = serverIdentity.getAuthType();
        if (authType instanceof Certificate) {
            Certificate certificate = (Certificate) authType;
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.certificate.Certificate certificate2 = certificate.getCertificate();
            if (certificate2 == null) {
                throw new UnsupportedConfigurationException("Missing certificate in " + certificate);
            }
            forServer = SslContextBuilder.forServer(newKeyManager(certificate2));
        } else {
            if (!(authType instanceof RawPrivateKey)) {
                if (authType != null) {
                    throw new UnsupportedConfigurationException("Unsupported server authentication type " + authType);
                }
                throw new UnsupportedConfigurationException("Missing server authentication type");
            }
            RawPrivateKey rawPrivateKey = (RawPrivateKey) authType;
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.raw._private.key.RawPrivateKey rawPrivateKey2 = rawPrivateKey.getRawPrivateKey();
            if (rawPrivateKey2 == null) {
                throw new UnsupportedConfigurationException("Missing key in " + rawPrivateKey);
            }
            forServer = SslContextBuilder.forServer(newKeyManager(rawPrivateKey2));
        }
        ClientAuthentication clientAuthentication = tlsServerGrouping.getClientAuthentication();
        if (clientAuthentication != null) {
            TrustManagerFactory newTrustManager = newTrustManager(clientAuthentication.getCaCerts(), clientAuthentication.getEeCerts(), clientAuthentication.getRawPublicKeys());
            if (newTrustManager == null) {
                throw new UnsupportedOperationException("No client authentication methods in " + clientAuthentication);
            }
            forServer.clientAuth(ClientAuth.REQUIRE).trustManager(newTrustManager);
        } else {
            forServer.clientAuth(ClientAuth.NONE);
        }
        return new TLSServer(transportChannelListener, buildSslContext(forServer, tlsServerGrouping.getHelloParams()));
    }
}
