package org.apache.qpid.protonj2.client.transport;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.OpenSslX509KeyManagerFactory;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import org.apache.qpid.protonj2.client.SslOptions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/protonj2/client/transport/SslSupport.class */
public class SslSupport {
    private static final Logger LOG = LoggerFactory.getLogger(SslSupport.class);

    public static boolean isOpenSSLPossible(SslOptions sslOptions) {
        boolean z = false;
        if (sslOptions.allowNativeSSL()) {
            if (!OpenSsl.isAvailable()) {
                LOG.debug("OpenSSL could not be enabled because a suitable implementation could not be found.", OpenSsl.unavailabilityCause());
            } else if (sslOptions.sslContextOverride() != null) {
                LOG.debug("OpenSSL could not be enabled due to user SSLContext being supplied.");
            } else if (!OpenSsl.supportsKeyManagerFactory()) {
                LOG.debug("OpenSSL could not be enabled because the version provided does not allow a KeyManagerFactory to be used.");
            } else if (sslOptions.keyAlias() != null) {
                LOG.debug("OpenSSL could not be enabled because a keyAlias is set and that feature is not supported for OpenSSL.");
            } else {
                LOG.debug("OpenSSL Enabled: Version {} of OpenSSL will be used", OpenSsl.versionString());
                z = true;
            }
        }
        return z;
    }

    public static SslHandler createSslHandler(ByteBufAllocator byteBufAllocator, String str, int i, SslOptions sslOptions) throws Exception {
        SSLEngine createJdkSslEngine;
        if (isOpenSSLPossible(sslOptions)) {
            createJdkSslEngine = createOpenSslEngine(byteBufAllocator, str, i, createOpenSslContext(sslOptions), sslOptions);
        } else {
            SSLContext sslContextOverride = sslOptions.sslContextOverride();
            if (sslContextOverride == null) {
                sslContextOverride = createJdkSslContext(sslOptions);
            }
            createJdkSslEngine = createJdkSslEngine(str, i, sslContextOverride, sslOptions);
        }
        return new SslHandler(createJdkSslEngine);
    }

    public static SSLContext createJdkSslContext(SslOptions sslOptions) throws Exception {
        try {
            String contextProtocol = sslOptions.contextProtocol();
            LOG.trace("Getting SSLContext instance using protocol: {}", contextProtocol);
            SSLContext sSLContext = SSLContext.getInstance(contextProtocol);
            sSLContext.init(loadKeyManagers(sslOptions), loadTrustManagers(sslOptions), new SecureRandom());
            return sSLContext;
        } catch (Exception e) {
            LOG.error("Failed to create SSLContext: {}", e, e);
            throw e;
        }
    }

    public static SSLEngine createJdkSslEngine(String str, int i, SSLContext sSLContext, SslOptions sslOptions) throws Exception {
        SSLEngine createSSLEngine = (str == null || str.isEmpty()) ? sSLContext.createSSLEngine() : sSLContext.createSSLEngine(str, i);
        createSSLEngine.setEnabledProtocols(buildEnabledProtocols(createSSLEngine, sslOptions));
        createSSLEngine.setEnabledCipherSuites(buildEnabledCipherSuites(createSSLEngine, sslOptions));
        createSSLEngine.setUseClientMode(true);
        if (sslOptions.verifyHost()) {
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return createSSLEngine;
    }

    public static SslContext createOpenSslContext(SslOptions sslOptions) throws Exception {
        try {
            LOG.trace("Getting SslContext instance using protocol: {}", sslOptions.contextProtocol());
            KeyManagerFactory loadKeyManagerFactory = loadKeyManagerFactory(sslOptions, SslProvider.OPENSSL);
            TrustManagerFactory loadTrustManagerFactory = loadTrustManagerFactory(sslOptions);
            SslContextBuilder sslProvider = SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL);
            if (sslOptions.contextProtocol().equals(SslOptions.DEFAULT_CONTEXT_PROTOCOL)) {
                sslProvider.protocols(new String[]{"TLSv1.2"});
            } else {
                sslProvider.protocols(new String[]{sslOptions.contextProtocol()});
            }
            sslProvider.keyManager(loadKeyManagerFactory);
            sslProvider.trustManager(loadTrustManagerFactory);
            return sslProvider.build();
        } catch (Exception e) {
            LOG.error("Failed to create SslContext: {}", e, e);
            throw e;
        }
    }

    public static SSLEngine createOpenSslEngine(ByteBufAllocator byteBufAllocator, String str, int i, SslContext sslContext, SslOptions sslOptions) throws Exception {
        if (byteBufAllocator == null) {
            throw new IllegalArgumentException("OpenSSL engine requires a valid ByteBufAllocator to operate");
        }
        SSLEngine newEngine = (str == null || str.isEmpty()) ? sslContext.newEngine(byteBufAllocator) : sslContext.newEngine(byteBufAllocator, str, i);
        newEngine.setEnabledProtocols(buildEnabledProtocols(newEngine, sslOptions));
        newEngine.setEnabledCipherSuites(buildEnabledCipherSuites(newEngine, sslOptions));
        newEngine.setUseClientMode(true);
        if (sslOptions.verifyHost()) {
            SSLParameters sSLParameters = newEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            newEngine.setSSLParameters(sSLParameters);
        }
        return newEngine;
    }

    private static String[] buildEnabledProtocols(SSLEngine sSLEngine, SslOptions sslOptions) {
        ArrayList arrayList = new ArrayList();
        if (sslOptions.enabledProtocols() != null) {
            List asList = Arrays.asList(sslOptions.enabledProtocols());
            LOG.trace("Configured protocols from transport options: {}", asList);
            arrayList.addAll(asList);
        } else {
            List asList2 = Arrays.asList(sSLEngine.getEnabledProtocols());
            LOG.trace("Default protocols from the SSLEngine: {}", asList2);
            arrayList.addAll(asList2);
        }
        String[] disabledProtocols = sslOptions.disabledProtocols();
        if (disabledProtocols != null) {
            List asList3 = Arrays.asList(disabledProtocols);
            LOG.trace("Disabled protocols: {}", asList3);
            arrayList.removeAll(asList3);
        }
        LOG.trace("Enabled protocols: {}", arrayList);
        return (String[]) arrayList.toArray(new String[0]);
    }

    private static String[] buildEnabledCipherSuites(SSLEngine sSLEngine, SslOptions sslOptions) {
        ArrayList arrayList = new ArrayList();
        if (sslOptions.enabledCipherSuites() != null) {
            List asList = Arrays.asList(sslOptions.enabledCipherSuites());
            LOG.trace("Configured cipher suites from transport options: {}", asList);
            arrayList.addAll(asList);
        } else {
            List asList2 = Arrays.asList(sSLEngine.getEnabledCipherSuites());
            LOG.trace("Default cipher suites from the SSLEngine: {}", asList2);
            arrayList.addAll(asList2);
        }
        String[] disabledCipherSuites = sslOptions.disabledCipherSuites();
        if (disabledCipherSuites != null) {
            List asList3 = Arrays.asList(disabledCipherSuites);
            LOG.trace("Disabled cipher suites: {}", asList3);
            arrayList.removeAll(asList3);
        }
        LOG.trace("Enabled cipher suites: {}", arrayList);
        return (String[]) arrayList.toArray(new String[0]);
    }

    private static TrustManager[] loadTrustManagers(SslOptions sslOptions) throws Exception {
        TrustManagerFactory loadTrustManagerFactory = loadTrustManagerFactory(sslOptions);
        if (loadTrustManagerFactory != null) {
            return loadTrustManagerFactory.getTrustManagers();
        }
        return null;
    }

    private static TrustManagerFactory loadTrustManagerFactory(SslOptions sslOptions) throws Exception {
        if (sslOptions.trustAll()) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        if (sslOptions.trustStoreLocation() == null) {
            return null;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        String trustStoreLocation = sslOptions.trustStoreLocation();
        String trustStorePassword = sslOptions.trustStorePassword();
        String trustStoreType = sslOptions.trustStoreType();
        LOG.trace("Attempt to load TrustStore from location {} of type {}", trustStoreLocation, trustStoreType);
        trustManagerFactory.init(loadStore(trustStoreLocation, trustStorePassword, trustStoreType));
        return trustManagerFactory;
    }

    private static KeyManager[] loadKeyManagers(SslOptions sslOptions) throws Exception {
        if (sslOptions.keyStoreLocation() == null) {
            return null;
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        String keyStoreLocation = sslOptions.keyStoreLocation();
        String keyStorePassword = sslOptions.keyStorePassword();
        String keyStoreType = sslOptions.keyStoreType();
        String keyAlias = sslOptions.keyAlias();
        LOG.trace("Attempt to load KeyStore from location {} of type {}", keyStoreLocation, keyStoreType);
        KeyStore loadStore = loadStore(keyStoreLocation, keyStorePassword, keyStoreType);
        keyManagerFactory.init(loadStore, keyStorePassword != null ? keyStorePassword.toCharArray() : null);
        if (keyAlias == null) {
            return keyManagerFactory.getKeyManagers();
        }
        validateAlias(loadStore, keyAlias);
        return wrapKeyManagers(keyAlias, keyManagerFactory.getKeyManagers());
    }

    private static KeyManagerFactory loadKeyManagerFactory(SslOptions sslOptions, SslProvider sslProvider) throws Exception {
        if (sslOptions.keyStoreLocation() == null) {
            return null;
        }
        KeyManagerFactory keyManagerFactory = sslProvider.equals(SslProvider.JDK) ? KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()) : new OpenSslX509KeyManagerFactory();
        String keyStoreLocation = sslOptions.keyStoreLocation();
        String keyStorePassword = sslOptions.keyStorePassword();
        String keyStoreType = sslOptions.keyStoreType();
        LOG.trace("Attempt to load KeyStore from location {} of type {}", keyStoreLocation, keyStoreType);
        keyManagerFactory.init(loadStore(keyStoreLocation, keyStorePassword, keyStoreType), keyStorePassword != null ? keyStorePassword.toCharArray() : null);
        return keyManagerFactory;
    }

    private static KeyManager[] wrapKeyManagers(String str, KeyManager[] keyManagerArr) {
        KeyManager[] keyManagerArr2 = new KeyManager[keyManagerArr.length];
        for (int i = 0; i < keyManagerArr.length; i++) {
            KeyManager keyManager = keyManagerArr[i];
            if (keyManager instanceof X509ExtendedKeyManager) {
                keyManager = new X509AliasKeyManager(str, (X509ExtendedKeyManager) keyManager);
            }
            keyManagerArr2[i] = keyManager;
        }
        return keyManagerArr2;
    }

    private static void validateAlias(KeyStore keyStore, String str) throws IllegalArgumentException, KeyStoreException {
        if (!keyStore.containsAlias(str)) {
            throw new IllegalArgumentException("The alias '" + str + "' doesn't exist in the key store");
        }
        if (!keyStore.isKeyEntry(str)) {
            throw new IllegalArgumentException("The alias '" + str + "' in the keystore doesn't represent a key entry");
        }
    }

    private static KeyStore loadStore(String str, String str2, String str3) throws Exception {
        char[] charArray;
        KeyStore keyStore = KeyStore.getInstance(str3);
        FileInputStream fileInputStream = new FileInputStream(new File(str));
        if (str2 != null) {
            try {
                charArray = str2.toCharArray();
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } else {
            charArray = null;
        }
        keyStore.load(fileInputStream, charArray);
        fileInputStream.close();
        return keyStore;
    }
}
