package aws_msk_iam_auth_shadow.software.amazon.awssdk.http.nio.netty.internal;

import aws_msk_iam_auth_shadow.io.netty.handler.codec.http2.Http2SecurityUtil;
import aws_msk_iam_auth_shadow.io.netty.handler.ssl.SslContext;
import aws_msk_iam_auth_shadow.io.netty.handler.ssl.SslContextBuilder;
import aws_msk_iam_auth_shadow.io.netty.handler.ssl.SslProvider;
import aws_msk_iam_auth_shadow.io.netty.handler.ssl.SupportedCipherSuiteFilter;
import aws_msk_iam_auth_shadow.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.annotations.SdkInternalApi;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.http.Protocol;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.http.SystemPropertyTlsKeyManagersProvider;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.http.TlsTrustManagersProvider;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.utils.Logger;
import aws_msk_iam_auth_shadow.software.amazon.awssdk.utils.Validate;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;

@SdkInternalApi
/* loaded from: input_file:aws_msk_iam_auth_shadow/software/amazon/awssdk/http/nio/netty/internal/SslContextProvider.class */
public final class SslContextProvider {
    private static final Logger log = Logger.loggerFor((Class<?>) SslContextProvider.class);
    private final Protocol protocol;
    private final SslProvider sslProvider;
    private final TrustManagerFactory trustManagerFactory;
    private final KeyManagerFactory keyManagerFactory;

    public SslContextProvider(NettyConfiguration nettyConfiguration, Protocol protocol, SslProvider sslProvider) {
        this.protocol = protocol;
        this.sslProvider = sslProvider;
        this.trustManagerFactory = getTrustManager(nettyConfiguration);
        this.keyManagerFactory = getKeyManager(nettyConfiguration);
    }

    public SslContext sslContext() {
        try {
            return SslContextBuilder.forClient().sslProvider(this.sslProvider).ciphers(getCiphers(), SupportedCipherSuiteFilter.INSTANCE).trustManager(this.trustManagerFactory).keyManager(this.keyManagerFactory).build();
        } catch (SSLException e) {
            throw new RuntimeException(e);
        }
    }

    private List<String> getCiphers() {
        if (this.protocol.equals(Protocol.HTTP2)) {
            return Http2SecurityUtil.CIPHERS;
        }
        return null;
    }

    private TrustManagerFactory getTrustManager(NettyConfiguration nettyConfiguration) {
        TlsTrustManagersProvider tlsTrustManagersProvider = nettyConfiguration.tlsTrustManagersProvider();
        Validate.isTrue(tlsTrustManagersProvider == null || !nettyConfiguration.trustAllCertificates(), "A TlsTrustManagerProvider can't be provided if TrustAllCertificates is also set", new Object[0]);
        if (tlsTrustManagersProvider != null) {
            return StaticTrustManagerFactory.create(tlsTrustManagersProvider.trustManagers());
        }
        if (!nettyConfiguration.trustAllCertificates()) {
            return null;
        }
        log.warn(() -> {
            return "SSL Certificate verification is disabled. This is not a safe setting and should only be used for testing.";
        });
        return InsecureTrustManagerFactory.INSTANCE;
    }

    private KeyManagerFactory getKeyManager(NettyConfiguration nettyConfiguration) {
        KeyManager[] keyManagers;
        if (nettyConfiguration.tlsKeyManagersProvider() != null && (keyManagers = nettyConfiguration.tlsKeyManagersProvider().keyManagers()) != null) {
            return StaticKeyManagerFactory.create(keyManagers);
        }
        KeyManager[] keyManagers2 = SystemPropertyTlsKeyManagersProvider.create().keyManagers();
        if (keyManagers2 == null) {
            return null;
        }
        return StaticKeyManagerFactory.create(keyManagers2);
    }
}
