package org.apache.kafka.common.security.ssl;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SslClientAuth;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/SslEngineBuilder.class */
public class SslEngineBuilder {
    private static final Logger log = LoggerFactory.getLogger(SslEngineBuilder.class);
    private final Map<String, ?> configs;
    private final String protocol;
    private final String provider;
    private final String kmfAlgorithm;
    private final String tmfAlgorithm;
    private final SecurityStore keystore;
    private final SecurityStore truststore;
    private final String[] cipherSuites;
    private final String[] enabledProtocols;
    private final SecureRandom secureRandomImplementation;
    private final SSLContext sslContext;
    private final SslClientAuth sslClientAuth;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kafka/common/security/ssl/SslEngineBuilder$SecurityStore.class */
    public static class SecurityStore {
        private final String type;
        private final String path;
        private final Password password;
        private final Password keyPassword;
        private final Long fileLastModifiedMs;

        SecurityStore(String str, String str2, Password password, Password password2) {
            Objects.requireNonNull(str, "type must not be null");
            this.type = str;
            this.path = str2;
            this.password = password;
            this.keyPassword = password2;
            this.fileLastModifiedMs = lastModifiedMs(str2);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public KeyStore load() {
            try {
                InputStream newInputStream = Files.newInputStream(Paths.get(this.path, new String[0]), new OpenOption[0]);
                Throwable th = null;
                try {
                    KeyStore keyStore = KeyStore.getInstance(this.type);
                    keyStore.load(newInputStream, this.password != null ? this.password.value().toCharArray() : null);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return keyStore;
                } catch (Throwable th3) {
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new KafkaException("Failed to load SSL keystore " + this.path + " of type " + this.type, e);
            }
        }

        private Long lastModifiedMs(String str) {
            try {
                return Long.valueOf(Files.getLastModifiedTime(Paths.get(str, new String[0]), new LinkOption[0]).toMillis());
            } catch (IOException e) {
                SslEngineBuilder.log.error("Modification time of key store could not be obtained: " + str, e);
                return null;
            }
        }

        boolean modified() {
            Long lastModifiedMs = lastModifiedMs(this.path);
            return (lastModifiedMs == null || Objects.equals(lastModifiedMs, this.fileLastModifiedMs)) ? false : true;
        }

        public String toString() {
            return "SecurityStore(path=" + this.path + ", modificationTime=" + (this.fileLastModifiedMs == null ? null : new Date(this.fileLastModifiedMs.longValue())) + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslEngineBuilder(Map<String, ?> map) {
        this.configs = Collections.unmodifiableMap(map);
        this.protocol = (String) map.get(SslConfigs.SSL_PROTOCOL_CONFIG);
        this.provider = (String) map.get(SslConfigs.SSL_PROVIDER_CONFIG);
        SecurityUtils.addConfiguredSecurityProviders(this.configs);
        List list = (List) map.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG);
        if (list == null || list.isEmpty()) {
            this.cipherSuites = null;
        } else {
            this.cipherSuites = (String[]) list.toArray(new String[list.size()]);
        }
        List list2 = (List) map.get(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
        if (list2 == null || list2.isEmpty()) {
            this.enabledProtocols = null;
        } else {
            this.enabledProtocols = (String[]) list2.toArray(new String[list2.size()]);
        }
        this.secureRandomImplementation = createSecureRandom((String) map.get(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG));
        this.sslClientAuth = createSslClientAuth((String) map.get("ssl.client.auth"));
        this.kmfAlgorithm = (String) map.get(SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
        this.tmfAlgorithm = (String) map.get(SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
        this.keystore = createKeystore((String) map.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
        this.truststore = createTruststore((String) map.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
        this.sslContext = createSSLContext();
    }

    private static SslClientAuth createSslClientAuth(String str) {
        SslClientAuth forConfig = SslClientAuth.forConfig(str);
        if (forConfig != null) {
            return forConfig;
        }
        log.warn("Unrecognized client authentication configuration {}.  Falling back to NONE.  Recognized client authentication configurations are {}.", str, String.join(", ", (Iterable<? extends CharSequence>) SslClientAuth.VALUES.stream().map(sslClientAuth -> {
            return sslClientAuth.name();
        }).collect(Collectors.toList())));
        return SslClientAuth.NONE;
    }

    private static SecureRandom createSecureRandom(String str) {
        if (str == null) {
            return null;
        }
        try {
            return SecureRandom.getInstance(str);
        } catch (GeneralSecurityException e) {
            throw new KafkaException(e);
        }
    }

    private SSLContext createSSLContext() {
        try {
            SSLContext sSLContext = this.provider != null ? SSLContext.getInstance(this.protocol, this.provider) : SSLContext.getInstance(this.protocol);
            KeyManager[] keyManagerArr = null;
            if (this.keystore != null || this.kmfAlgorithm != null) {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this.kmfAlgorithm != null ? this.kmfAlgorithm : KeyManagerFactory.getDefaultAlgorithm());
                if (this.keystore != null) {
                    keyManagerFactory.init(this.keystore.load(), (this.keystore.keyPassword != null ? this.keystore.keyPassword : this.keystore.password).value().toCharArray());
                } else {
                    keyManagerFactory.init(null, null);
                }
                keyManagerArr = keyManagerFactory.getKeyManagers();
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this.tmfAlgorithm != null ? this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(this.truststore == null ? null : this.truststore.load());
            sSLContext.init(keyManagerArr, trustManagerFactory.getTrustManagers(), this.secureRandomImplementation);
            log.debug("Created SSL context with keystore {}, truststore {}, provider {}.", new Object[]{this.keystore, this.truststore, sSLContext.getProvider().getName()});
            return sSLContext;
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    private static SecurityStore createKeystore(String str, String str2, Password password, Password password2) {
        if (str2 == null && password != null) {
            throw new KafkaException("SSL key store is not specified, but key store password is specified.");
        }
        if (str2 != null && password == null) {
            throw new KafkaException("SSL key store is specified, but key store password is not specified.");
        }
        if (str2 == null || password == null) {
            return null;
        }
        return new SecurityStore(str, str2, password, password2);
    }

    private static SecurityStore createTruststore(String str, String str2, Password password) {
        if (str2 == null && password != null) {
            throw new KafkaException("SSL trust store is not specified, but trust store password is specified.");
        }
        if (str2 != null) {
            return new SecurityStore(str, str2, password, null);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, Object> configs() {
        return this.configs;
    }

    public SecurityStore keystore() {
        return this.keystore;
    }

    public SecurityStore truststore() {
        return this.truststore;
    }

    public SSLEngine createSslEngine(Mode mode, String str, int i, String str2) {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine(str, i);
        if (this.cipherSuites != null) {
            createSSLEngine.setEnabledCipherSuites(this.cipherSuites);
        }
        if (this.enabledProtocols != null) {
            createSSLEngine.setEnabledProtocols(this.enabledProtocols);
        }
        if (mode == Mode.SERVER) {
            createSSLEngine.setUseClientMode(false);
            switch (this.sslClientAuth) {
                case REQUIRED:
                    createSSLEngine.setNeedClientAuth(true);
                    break;
                case REQUESTED:
                    createSSLEngine.setWantClientAuth(true);
                    break;
            }
            createSSLEngine.setUseClientMode(false);
        } else {
            createSSLEngine.setUseClientMode(true);
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(str2);
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return createSSLEngine;
    }

    public SSLContext sslContext() {
        return this.sslContext;
    }

    public boolean shouldBeRebuilt(Map<String, Object> map) {
        if (!map.equals(this.configs)) {
            return true;
        }
        if (this.truststore == null || !this.truststore.modified()) {
            return this.keystore != null && this.keystore.modified();
        }
        return true;
    }
}
