package org.apache.kafka.common.security.ssl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SslClientAuth;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.errors.InvalidConfigurationException;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.auth.SslEngineFactory;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.bouncycastle.openssl.PEMParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.class */
public final class DefaultSslEngineFactory implements SslEngineFactory {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultSslEngineFactory.class);
    public static final String PEM_TYPE = "PEM";
    private Map<String, ?> configs;
    private String protocol;
    private String provider;
    private String kmfAlgorithm;
    private String tmfAlgorithm;
    private SecurityStore keystore;
    private SecurityStore truststore;
    private String[] cipherSuites;
    private String[] enabledProtocols;
    private SecureRandom secureRandomImplementation;
    private SSLContext sslContext;
    private SslClientAuth sslClientAuth;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory$FileBasedPemStore.class */
    public static class FileBasedPemStore extends FileBasedStore {
        FileBasedPemStore(String str, Password password, boolean z) {
            super(DefaultSslEngineFactory.PEM_TYPE, str, null, password, z);
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.FileBasedStore
        protected KeyStore load(boolean z) {
            try {
                Password password = new Password(Utils.readFileAsString(this.path));
                return (z ? new PemStore(password, password, this.keyPassword) : new PemStore(password)).keyStore;
            } catch (Exception e) {
                throw new InvalidConfigurationException("Failed to load PEM SSL keystore " + this.path, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory$FileBasedStore.class */
    public static class FileBasedStore implements SecurityStore {
        private final String type;
        protected final String path;
        private final Password password;
        protected final Password keyPassword;
        private final Long fileLastModifiedMs;
        private final KeyStore keyStore;

        FileBasedStore(String str, String str2, Password password, Password password2, boolean z) {
            Objects.requireNonNull(str, "type must not be null");
            this.type = str;
            this.path = str2;
            this.password = password;
            this.keyPassword = password2;
            this.fileLastModifiedMs = lastModifiedMs(str2);
            this.keyStore = load(z);
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public KeyStore get() {
            return this.keyStore;
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public char[] keyPassword() {
            Password password = this.keyPassword != null ? this.keyPassword : this.password;
            if (password == null) {
                return null;
            }
            return password.value().toCharArray();
        }

        protected KeyStore load(boolean z) {
            try {
                InputStream newInputStream = Files.newInputStream(Paths.get(this.path, new String[0]), new OpenOption[0]);
                Throwable th = null;
                try {
                    try {
                        KeyStore keyStore = KeyStore.getInstance(this.type);
                        keyStore.load(newInputStream, this.password != null ? this.password.value().toCharArray() : null);
                        if (newInputStream != null) {
                            if (0 != 0) {
                                try {
                                    newInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                newInputStream.close();
                            }
                        }
                        return keyStore;
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (newInputStream != null) {
                        if (th != null) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new KafkaException("Failed to load SSL keystore " + this.path + " of type " + this.type, e);
            }
        }

        private Long lastModifiedMs(String str) {
            try {
                return Long.valueOf(Files.getLastModifiedTime(Paths.get(str, new String[0]), new LinkOption[0]).toMillis());
            } catch (IOException e) {
                DefaultSslEngineFactory.log.error("Modification time of key store could not be obtained: " + str, (Throwable) e);
                return null;
            }
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public boolean modified() {
            Long lastModifiedMs = lastModifiedMs(this.path);
            return (lastModifiedMs == null || Objects.equals(lastModifiedMs, this.fileLastModifiedMs)) ? false : true;
        }

        public String toString() {
            return "SecurityStore(path=" + this.path + ", modificationTime=" + (this.fileLastModifiedMs == null ? null : new Date(this.fileLastModifiedMs.longValue())) + DefaultExpressionEngine.DEFAULT_INDEX_END;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory$PemParser.class */
    public static class PemParser {
        private final String name;
        private final Pattern pattern;

        PemParser(String str) {
            this.name = str;
            String replace = str.replace(StringUtils.SPACE, "\\s+");
            this.pattern = Pattern.compile(String.format("-+%s\\s*.*%s[^-]*-+\\s+", "BEGIN", replace) + String.format("(?:%s)*", "\\s*[^\\r\\n]*:[^\\r\\n]*[\\r\\n]+") + "([a-zA-Z0-9/+=\\s]*)" + String.format("-+%s\\s*.*%s[^-]*-+\\s+", "END", replace));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public List<byte[]> pemEntries(String str) {
            Matcher matcher = this.pattern.matcher(str + "\n");
            ArrayList arrayList = new ArrayList();
            while (matcher.find()) {
                arrayList.add(Base64.getDecoder().decode(matcher.group(1).replaceAll("\\s", "")));
            }
            if (arrayList.isEmpty()) {
                throw new InvalidConfigurationException("No matching " + this.name + " entries in PEM file");
            }
            return arrayList;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory$PemStore.class */
    public static class PemStore implements SecurityStore {
        private static final PemParser CERTIFICATE_PARSER = new PemParser(PEMParser.TYPE_CERTIFICATE);
        private static final PemParser PRIVATE_KEY_PARSER = new PemParser(PEMParser.TYPE_PRIVATE_KEY);
        private static final List<KeyFactory> KEY_FACTORIES = Arrays.asList(keyFactory("RSA"), keyFactory("DSA"), keyFactory("EC"));
        private final char[] keyPassword;
        private final KeyStore keyStore;

        PemStore(Password password, Password password2, Password password3) {
            this.keyPassword = password3 == null ? null : password3.value().toCharArray();
            this.keyStore = createKeyStoreFromPem(password2.value(), password.value(), this.keyPassword);
        }

        PemStore(Password password) {
            this.keyPassword = null;
            this.keyStore = createTrustStoreFromPem(password.value());
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public KeyStore get() {
            return this.keyStore;
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public char[] keyPassword() {
            return this.keyPassword;
        }

        @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.SecurityStore
        public boolean modified() {
            return false;
        }

        private KeyStore createKeyStoreFromPem(String str, String str2, char[] cArr) {
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                keyStore.load(null, null);
                keyStore.setKeyEntry("kafka", privateKey(str, cArr), cArr, certs(str2));
                return keyStore;
            } catch (Exception e) {
                throw new InvalidConfigurationException("Invalid PEM keystore configs", e);
            }
        }

        private KeyStore createTrustStoreFromPem(String str) {
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                keyStore.load(null, null);
                Certificate[] certs = certs(str);
                for (int i = 0; i < certs.length; i++) {
                    keyStore.setCertificateEntry("kafka" + i, certs[i]);
                }
                return keyStore;
            } catch (InvalidConfigurationException e) {
                throw e;
            } catch (Exception e2) {
                throw new InvalidConfigurationException("Invalid PEM keystore configs", e2);
            }
        }

        private Certificate[] certs(String str) throws GeneralSecurityException {
            List pemEntries = CERTIFICATE_PARSER.pemEntries(str);
            if (pemEntries.isEmpty()) {
                throw new InvalidConfigurationException("At least one certificate expected, but none found");
            }
            Certificate[] certificateArr = new Certificate[pemEntries.size()];
            for (int i = 0; i < certificateArr.length; i++) {
                certificateArr[i] = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream((byte[]) pemEntries.get(i)));
            }
            return certificateArr;
        }

        private PrivateKey privateKey(String str, char[] cArr) throws Exception {
            PKCS8EncodedKeySpec keySpec;
            List pemEntries = PRIVATE_KEY_PARSER.pemEntries(str);
            if (pemEntries.isEmpty()) {
                throw new InvalidConfigurationException("Private key not provided");
            }
            if (pemEntries.size() != 1) {
                throw new InvalidConfigurationException("Expected one private key, but found " + pemEntries.size());
            }
            byte[] bArr = (byte[]) pemEntries.get(0);
            if (cArr == null) {
                keySpec = new PKCS8EncodedKeySpec(bArr);
            } else {
                EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(bArr);
                String algName = encryptedPrivateKeyInfo.getAlgName();
                SecretKey generateSecret = SecretKeyFactory.getInstance(algName).generateSecret(new PBEKeySpec(cArr));
                Cipher cipher = Cipher.getInstance(algName);
                cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
                keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
            }
            InvalidKeySpecException invalidKeySpecException = null;
            Iterator<KeyFactory> it = KEY_FACTORIES.iterator();
            while (it.hasNext()) {
                try {
                    return it.next().generatePrivate(keySpec);
                } catch (InvalidKeySpecException e) {
                    if (invalidKeySpecException == null) {
                        invalidKeySpecException = e;
                    }
                }
            }
            throw new InvalidConfigurationException("Private key could not be loaded", invalidKeySpecException);
        }

        private static KeyFactory keyFactory(String str) {
            try {
                return KeyFactory.getInstance(str);
            } catch (Exception e) {
                throw new InvalidConfigurationException("Could not create key factory for algorithm " + str, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/ssl/DefaultSslEngineFactory$SecurityStore.class */
    public interface SecurityStore {
        KeyStore get();

        char[] keyPassword();

        boolean modified();
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public SSLEngine createClientSslEngine(String str, int i, String str2) {
        return createSslEngine(Mode.CLIENT, str, i, str2);
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public SSLEngine createServerSslEngine(String str, int i) {
        return createSslEngine(Mode.SERVER, str, i, null);
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public boolean shouldBeRebuilt(Map<String, Object> map) {
        if (!map.equals(this.configs)) {
            return true;
        }
        if (this.truststore == null || !this.truststore.modified()) {
            return this.keystore != null && this.keystore.modified();
        }
        return true;
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public Set<String> reconfigurableConfigs() {
        return SslConfigs.RECONFIGURABLE_CONFIGS;
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public KeyStore keystore() {
        if (this.keystore != null) {
            return this.keystore.get();
        }
        return null;
    }

    @Override // org.apache.kafka.common.security.auth.SslEngineFactory
    public KeyStore truststore() {
        if (this.truststore != null) {
            return this.truststore.get();
        }
        return null;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.configs = Collections.unmodifiableMap(map);
        this.protocol = (String) map.get(SslConfigs.SSL_PROTOCOL_CONFIG);
        this.provider = (String) map.get(SslConfigs.SSL_PROVIDER_CONFIG);
        SecurityUtils.addConfiguredSecurityProviders(this.configs);
        List list = (List) map.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG);
        if (list == null || list.isEmpty()) {
            this.cipherSuites = null;
        } else {
            this.cipherSuites = (String[]) list.toArray(new String[0]);
        }
        List list2 = (List) map.get(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
        if (list2 == null || list2.isEmpty()) {
            this.enabledProtocols = null;
        } else {
            this.enabledProtocols = (String[]) list2.toArray(new String[0]);
        }
        this.secureRandomImplementation = createSecureRandom((String) map.get(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG));
        this.sslClientAuth = createSslClientAuth((String) map.get("ssl.client.auth"));
        this.kmfAlgorithm = (String) map.get(SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
        this.tmfAlgorithm = (String) map.get(SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
        this.keystore = createKeystore((String) map.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_KEY_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_CERTIFICATE_CHAIN_CONFIG));
        this.truststore = createTruststore((String) map.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_CONFIG));
        this.sslContext = createSSLContext(this.keystore, this.truststore);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.sslContext = null;
    }

    public SSLContext sslContext() {
        return this.sslContext;
    }

    private SSLEngine createSslEngine(Mode mode, String str, int i, String str2) {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine(str, i);
        if (this.cipherSuites != null) {
            createSSLEngine.setEnabledCipherSuites(this.cipherSuites);
        }
        if (this.enabledProtocols != null) {
            createSSLEngine.setEnabledProtocols(this.enabledProtocols);
        }
        if (mode == Mode.SERVER) {
            createSSLEngine.setUseClientMode(false);
            switch (this.sslClientAuth) {
                case REQUIRED:
                    createSSLEngine.setNeedClientAuth(true);
                    break;
                case REQUESTED:
                    createSSLEngine.setWantClientAuth(true);
                    break;
            }
            createSSLEngine.setUseClientMode(false);
        } else {
            createSSLEngine.setUseClientMode(true);
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(str2);
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return createSSLEngine;
    }

    private static SslClientAuth createSslClientAuth(String str) {
        SslClientAuth forConfig = SslClientAuth.forConfig(str);
        if (forConfig != null) {
            return forConfig;
        }
        log.warn("Unrecognized client authentication configuration {}.  Falling back to NONE.  Recognized client authentication configurations are {}.", str, String.join(", ", (Iterable<? extends CharSequence>) SslClientAuth.VALUES.stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList())));
        return SslClientAuth.NONE;
    }

    private static SecureRandom createSecureRandom(String str) {
        if (str == null) {
            return null;
        }
        try {
            return SecureRandom.getInstance(str);
        } catch (GeneralSecurityException e) {
            throw new KafkaException(e);
        }
    }

    private SSLContext createSSLContext(SecurityStore securityStore, SecurityStore securityStore2) {
        try {
            SSLContext sSLContext = this.provider != null ? SSLContext.getInstance(this.protocol, this.provider) : SSLContext.getInstance(this.protocol);
            KeyManager[] keyManagerArr = null;
            if (securityStore != null || this.kmfAlgorithm != null) {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this.kmfAlgorithm != null ? this.kmfAlgorithm : KeyManagerFactory.getDefaultAlgorithm());
                if (securityStore != null) {
                    keyManagerFactory.init(securityStore.get(), securityStore.keyPassword());
                } else {
                    keyManagerFactory.init(null, null);
                }
                keyManagerArr = keyManagerFactory.getKeyManagers();
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this.tmfAlgorithm != null ? this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(securityStore2 == null ? null : securityStore2.get());
            sSLContext.init(keyManagerArr, trustManagerFactory.getTrustManagers(), this.secureRandomImplementation);
            log.debug("Created SSL context with keystore {}, truststore {}, provider {}.", securityStore, securityStore2, sSLContext.getProvider().getName());
            return sSLContext;
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    protected SecurityStore createKeystore(String str, String str2, Password password, Password password2, Password password3, Password password4) {
        if (password3 != null) {
            if (!PEM_TYPE.equals(str)) {
                throw new InvalidConfigurationException("SSL private key can be specified only for PEM, but key store type is " + str + ".");
            }
            if (password4 == null) {
                throw new InvalidConfigurationException("SSL private key is specified, but certificate chain is not specified.");
            }
            if (str2 != null) {
                throw new InvalidConfigurationException("Both SSL key store location and separate private key are specified.");
            }
            if (password != null) {
                throw new InvalidConfigurationException("SSL key store password cannot be specified with PEM format, only key password may be specified.");
            }
            return new PemStore(password4, password3, password2);
        }
        if (password4 != null) {
            throw new InvalidConfigurationException("SSL certificate chain is specified, but private key is not specified");
        }
        if (PEM_TYPE.equals(str) && str2 != null) {
            if (password != null) {
                throw new InvalidConfigurationException("SSL key store password cannot be specified with PEM format, only key password may be specified");
            }
            if (password2 == null) {
                throw new InvalidConfigurationException("SSL PEM key store is specified, but key password is not specified.");
            }
            return new FileBasedPemStore(str2, password2, true);
        }
        if (str2 == null && password != null) {
            throw new InvalidConfigurationException("SSL key store is not specified, but key store password is specified.");
        }
        if (str2 != null && password == null) {
            throw new InvalidConfigurationException("SSL key store is specified, but key store password is not specified.");
        }
        if (str2 == null || password == null) {
            return null;
        }
        return new FileBasedStore(str, str2, password, password2, true);
    }

    private static SecurityStore createTruststore(String str, String str2, Password password, Password password2) {
        if (password2 != null) {
            if (!PEM_TYPE.equals(str)) {
                throw new InvalidConfigurationException("SSL trust store certs can be specified only for PEM, but trust store type is " + str + ".");
            }
            if (str2 != null) {
                throw new InvalidConfigurationException("Both SSL trust store location and separate trust certificates are specified.");
            }
            if (password != null) {
                throw new InvalidConfigurationException("SSL trust store password cannot be specified for PEM format.");
            }
            return new PemStore(password2);
        }
        if (PEM_TYPE.equals(str) && str2 != null) {
            if (password != null) {
                throw new InvalidConfigurationException("SSL trust store password cannot be specified for PEM format.");
            }
            return new FileBasedPemStore(str2, null, false);
        }
        if (str2 == null && password != null) {
            throw new InvalidConfigurationException("SSL trust store is not specified, but trust store password is specified.");
        }
        if (str2 != null) {
            return new FileBasedStore(str, str2, password, null, false);
        }
        return null;
    }
}
