package org.apache.activemq.artemis.core.remoting.impl.ssl;

import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.Collection;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.activemq.artemis.api.core.Pair;
import org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin;
import org.apache.activemq.artemis.core.client.ActiveMQClientLogger;
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.spi.core.remoting.ssl.SSLContextConfig;
import org.apache.activemq.artemis.utils.ClassloadingUtil;

/* loaded from: input_file:artemis-core-client-2.20.0.jar:org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.class */
public class SSLSupport {
    public static final String NONE = "NONE";
    private String keystoreProvider;
    private String keystoreType;
    private String keystorePath;
    private String keystorePassword;
    private String truststoreProvider;
    private String truststoreType;
    private String truststorePath;
    private String truststorePassword;
    private String crlPath;
    private String sslProvider;
    private boolean trustAll;
    private String trustManagerFactoryPlugin;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SSLSupport() {
        this.keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
        this.keystoreType = "JKS";
        this.keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
        this.keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
        this.truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
        this.truststoreType = "JKS";
        this.truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
        this.truststorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
        this.crlPath = TransportConstants.DEFAULT_CRL_PATH;
        this.sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
        this.trustAll = false;
        this.trustManagerFactoryPlugin = TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN;
    }

    public SSLSupport(SSLContextConfig sSLContextConfig) {
        this.keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
        this.keystoreType = "JKS";
        this.keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
        this.keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
        this.truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
        this.truststoreType = "JKS";
        this.truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
        this.truststorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
        this.crlPath = TransportConstants.DEFAULT_CRL_PATH;
        this.sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
        this.trustAll = false;
        this.trustManagerFactoryPlugin = TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN;
        this.keystoreProvider = sSLContextConfig.getKeystoreProvider();
        this.keystorePath = sSLContextConfig.getKeystorePath();
        this.keystoreType = sSLContextConfig.getKeystoreType();
        this.keystorePassword = sSLContextConfig.getKeystorePassword();
        this.truststoreProvider = sSLContextConfig.getTruststoreProvider();
        this.truststorePath = sSLContextConfig.getTruststorePath();
        this.truststoreType = sSLContextConfig.getTruststoreType();
        this.truststorePassword = sSLContextConfig.getTruststorePassword();
        this.crlPath = sSLContextConfig.getCrlPath();
        this.trustAll = sSLContextConfig.isTrustAll();
        this.trustManagerFactoryPlugin = sSLContextConfig.getTrustManagerFactoryPlugin();
    }

    public String getKeystoreProvider() {
        return this.keystoreProvider;
    }

    public SSLSupport setKeystoreProvider(String str) {
        this.keystoreProvider = str;
        return this;
    }

    public String getKeystoreType() {
        return this.keystoreType;
    }

    public SSLSupport setKeystoreType(String str) {
        this.keystoreType = str;
        return this;
    }

    public String getKeystorePath() {
        return this.keystorePath;
    }

    public SSLSupport setKeystorePath(String str) {
        this.keystorePath = str;
        return this;
    }

    public String getKeystorePassword() {
        return this.keystorePassword;
    }

    public SSLSupport setKeystorePassword(String str) {
        this.keystorePassword = str;
        return this;
    }

    public String getTruststoreProvider() {
        return this.truststoreProvider;
    }

    public SSLSupport setTruststoreProvider(String str) {
        this.truststoreProvider = str;
        return this;
    }

    public String getTruststoreType() {
        return this.truststoreType;
    }

    public SSLSupport setTruststoreType(String str) {
        this.truststoreType = str;
        return this;
    }

    public String getTruststorePath() {
        return this.truststorePath;
    }

    public SSLSupport setTruststorePath(String str) {
        this.truststorePath = str;
        return this;
    }

    public String getTruststorePassword() {
        return this.truststorePassword;
    }

    public SSLSupport setTruststorePassword(String str) {
        this.truststorePassword = str;
        return this;
    }

    public String getCrlPath() {
        return this.crlPath;
    }

    public SSLSupport setCrlPath(String str) {
        this.crlPath = str;
        return this;
    }

    public String getSslProvider() {
        return this.sslProvider;
    }

    public SSLSupport setSslProvider(String str) {
        this.sslProvider = str;
        return this;
    }

    public boolean isTrustAll() {
        return this.trustAll;
    }

    public SSLSupport setTrustAll(boolean z) {
        this.trustAll = z;
        return this;
    }

    public String getTrustManagerFactoryPlugin() {
        return this.trustManagerFactoryPlugin;
    }

    public SSLSupport setTrustManagerFactoryPlugin(String str) {
        this.trustManagerFactoryPlugin = str;
        return this;
    }

    public SSLContext createContext() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(loadKeyManagers(), loadTrustManagers(), new SecureRandom());
        return sSLContext;
    }

    public SslContext createNettyContext() throws Exception {
        KeyStore loadKeystore = loadKeystore(this.keystoreProvider, this.keystoreType, this.keystorePath, this.keystorePassword);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeystore, this.keystorePassword.toCharArray());
        return SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.valueOf(this.sslProvider)).trustManager(loadTrustManagerFactory()).build();
    }

    public SslContext createNettyClientContext() throws Exception {
        KeyStore loadKeystore = loadKeystore(this.keystoreProvider, this.keystoreType, this.keystorePath, this.keystorePassword);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeystore, this.keystorePassword == null ? null : this.keystorePassword.toCharArray());
        return SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(this.sslProvider)).keyManager(keyManagerFactory).trustManager(loadTrustManagerFactory()).build();
    }

    public static String[] parseCommaSeparatedListIntoArray(String str) {
        String[] split = str.split(",");
        for (int i = 0; i < split.length; i++) {
            split[i] = split[i].trim();
        }
        return split;
    }

    public static String parseArrayIntoCommandSeparatedList(String[] strArr) {
        StringBuilder sb = new StringBuilder();
        for (String str : strArr) {
            sb.append(str);
            sb.append(", ");
        }
        return sb.delete(sb.length() - 2, sb.length()).toString();
    }

    private TrustManagerFactory loadTrustManagerFactory() throws Exception {
        if (this.trustManagerFactoryPlugin != null) {
            return (TrustManagerFactory) AccessController.doPrivileged(() -> {
                return ((TrustManagerFactoryPlugin) ClassloadingUtil.newInstanceFromClassLoader((Class<?>) SSLSupport.class, this.trustManagerFactoryPlugin)).getTrustManagerFactory();
            });
        }
        if (this.trustAll) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        if ((this.truststorePath == null || this.truststorePath.isEmpty() || this.truststorePath.equalsIgnoreCase(NONE)) && (this.truststoreProvider == null || !this.truststoreProvider.toUpperCase().contains("PKCS11"))) {
            return null;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore loadKeystore = loadKeystore(this.truststoreProvider, this.truststoreType, this.truststorePath, this.truststorePassword);
        boolean z = false;
        if ((Boolean.valueOf(Security.getProperty("ocsp.enable")).booleanValue() || this.crlPath != null) && TrustManagerFactory.getDefaultAlgorithm().equalsIgnoreCase("PKIX")) {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(loadKeystore, new X509CertSelector());
            if (this.crlPath != null) {
                pKIXBuilderParameters.setRevocationEnabled(true);
                Collection<? extends CRL> loadCRL = loadCRL();
                if (loadCRL != null) {
                    pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(loadCRL)));
                }
            }
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            z = true;
        }
        if (!z) {
            trustManagerFactory.init(loadKeystore);
        }
        return trustManagerFactory;
    }

    private TrustManager[] loadTrustManagers() throws Exception {
        TrustManagerFactory loadTrustManagerFactory = loadTrustManagerFactory();
        if (loadTrustManagerFactory == null) {
            return null;
        }
        return loadTrustManagerFactory.getTrustManagers();
    }

    private Collection<? extends CRL> loadCRL() throws Exception {
        if (this.crlPath == null) {
            return null;
        }
        InputStream openStream = validateStoreURL(this.crlPath).openStream();
        try {
            Collection<? extends CRL> generateCRLs = CertificateFactory.getInstance("X.509").generateCRLs(openStream);
            if (openStream != null) {
                openStream.close();
            }
            return generateCRLs;
        } catch (Throwable th) {
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static KeyStore loadKeystore(String str, String str2, String str3, String str4) throws Exception {
        KeyStore keyStore = str == null ? KeyStore.getInstance(str2) : KeyStore.getInstance(str2, str);
        InputStream inputStream = null;
        if (str3 != null) {
            try {
                if (!str3.isEmpty() && !str3.equalsIgnoreCase(NONE)) {
                    inputStream = validateStoreURL(str3).openStream();
                }
            } catch (Throwable th) {
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e) {
                    }
                }
                throw th;
            }
        }
        keyStore.load(inputStream, str4 == null ? null : str4.toCharArray());
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e2) {
            }
        }
        return keyStore;
    }

    private KeyManager[] loadKeyManagers() throws Exception {
        KeyManagerFactory loadKeyManagerFactory = loadKeyManagerFactory();
        if (loadKeyManagerFactory == null) {
            return null;
        }
        return loadKeyManagerFactory.getKeyManagers();
    }

    private KeyManagerFactory loadKeyManagerFactory() throws Exception {
        if ((this.keystorePath == null || this.keystorePath.isEmpty() || this.keystorePath.equalsIgnoreCase(NONE)) && (this.keystoreProvider == null || !this.keystoreProvider.toUpperCase().contains("PKCS11"))) {
            return null;
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeystore(this.keystoreProvider, this.keystoreType, this.keystorePath, this.keystorePassword), this.keystorePassword == null ? null : this.keystorePassword.toCharArray());
        return keyManagerFactory;
    }

    private static URL validateStoreURL(String str) throws Exception {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        try {
            return new URL(str);
        } catch (MalformedURLException e) {
            File file = new File(str);
            if (file.exists() && file.isFile()) {
                return file.toURI().toURL();
            }
            URL findResource = findResource(str);
            if (findResource != null) {
                return findResource;
            }
            throw new Exception("Failed to find a store at " + str);
        }
    }

    private static URL findResource(final String str) {
        return (URL) AccessController.doPrivileged(new PrivilegedAction<URL>() { // from class: org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public URL run() {
                return ClassloadingUtil.findResource(str);
            }
        });
    }

    public static Pair<String, String> getValidProviderAndType(String str, String str2) {
        if (str == null || !(str.startsWith("PKCS") || str.equals("JKS") || str.equals("JCEKS"))) {
            return new Pair<>(str, str2);
        }
        ActiveMQClientLogger.LOGGER.oldStoreProvider(str);
        return new Pair<>(null, str);
    }

    static {
        $assertionsDisabled = !SSLSupport.class.desiredAssertionStatus();
    }
}
