package com.linkedin.alpini.netty4.ssl;

import com.linkedin.alpini.io.ssl.SSLContextBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.Ciphers;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslProtocols;
import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl.class */
public class SSLEngineFactoryImpl implements SSLEngineFactory {
    private SSLContext _context;
    private boolean _sslEnabled;
    private boolean _sslRequireClientCerts;
    private String _keyStoreFilePath;
    private String _trustStoreFilePath;

    @Deprecated
    private String _keyStoreData;
    private SSLParameters _parameters;
    private SslContext _serverContext;
    private SslContext _clientContext;
    public static final String[] CIPHER_SUITE_ALLOWLIST = {Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA, "SSL_RSA_WITH_NULL_MD5", "SSL_RSA_WITH_NULL_SHA"};
    private static final File NULL_FILE = new File("/dev/null");

    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl$Config.class */
    public static class Config {
        private Provider _sslContextProvider;
        private boolean _useInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk;
        private boolean _useRefCount;
        private String _keyStoreData = "";
        private String _keyStorePassword = "";
        private String _keyStoreType = "jks";
        private String _keyStoreFilePath = "";
        private String _trustStoreFilePath = "";
        private String _trustStoreFilePassword = "";
        private boolean _sslEnabled = false;
        private boolean _sslRequireClientCerts = true;
        private boolean _requireClientCertOnLocalHost = false;
        private boolean _permitHttp2 = true;
        private long _sessionCacheSize = 0;
        private long _sessionTimeout = 0;

        public void setKeyStoreData(String str) {
            this._keyStoreData = str;
        }

        public String getKeyStoreData() {
            return this._keyStoreData;
        }

        public void setKeyStoreFilePath(String str) {
            this._keyStoreFilePath = str;
        }

        public String getKeyStoreFilePath() {
            return this._keyStoreFilePath;
        }

        public void setKeyStorePassword(String str) {
            this._keyStorePassword = str;
        }

        public String getKeyStorePassword() {
            return (String) ConfigHelper.getRequired(this._keyStorePassword);
        }

        public void setTrustStoreFilePath(String str) {
            this._trustStoreFilePath = str;
        }

        public String getTrustStoreFilePath() {
            return this._trustStoreFilePath;
        }

        public void setTrustStoreFilePassword(String str) {
            this._trustStoreFilePassword = str;
        }

        public String getTrustStoreFilePassword() {
            return this._trustStoreFilePassword;
        }

        public void setKeyStoreType(String str) {
            this._keyStoreType = str;
        }

        public String getKeyStoreType() {
            return this._keyStoreType;
        }

        public void setSslEnabled(boolean z) {
            this._sslEnabled = z;
        }

        public boolean getSslEnabled() {
            return ((Boolean) ConfigHelper.getRequired(Boolean.valueOf(this._sslEnabled))).booleanValue();
        }

        public boolean doesSslRequireClientCerts() {
            return this._sslRequireClientCerts;
        }

        public void setSslRequireClientCerts(boolean z) {
            this._sslRequireClientCerts = z;
        }

        public boolean isRequireClientCertOnLocalHost() {
            return this._requireClientCertOnLocalHost;
        }

        public void setRequireClientCertOnLocalHost(boolean z) {
            this._requireClientCertOnLocalHost = z;
        }

        public boolean isPermitHttp2() {
            return this._permitHttp2 && !this._useInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk;
        }

        public void setPermitHttp2(boolean z) {
            this._permitHttp2 = z;
        }

        public long getSessionCacheSize() {
            return this._sessionCacheSize;
        }

        public void setSessionCacheSize(long j) {
            this._sessionCacheSize = j;
        }

        public long getSessionTimeout() {
            return this._sessionTimeout;
        }

        public void setSessionTimeout(long j) {
            this._sessionTimeout = j;
        }

        public boolean getUseInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk() {
            return this._useInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk;
        }

        public void setUseInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk(boolean z) {
            this._useInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk = z;
        }

        public Provider getSslContextProvider() {
            return this._sslContextProvider;
        }

        public void setSslContextProvider(Provider provider) {
            this._sslContextProvider = provider;
        }

        public boolean isUseRefCount() {
            return this._useRefCount;
        }

        public void setUseRefCount(boolean z) {
            this._useRefCount = z;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl$ConfigHelper.class */
    public static class ConfigHelper {

        /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl$ConfigHelper$MissingConfigParameterException.class */
        public static class MissingConfigParameterException extends IllegalArgumentException {
            public MissingConfigParameterException(String str) {
                super(str);
            }
        }

        private ConfigHelper() {
        }

        public static Object getRequiredObject(Object obj) throws MissingConfigParameterException {
            if (obj == null) {
                throw new MissingConfigParameterException("required Object has not been defined");
            }
            return obj;
        }

        public static <T> T getRequired(T t) throws MissingConfigParameterException {
            if (t == null) {
                throw new MissingConfigParameterException("required Object has not been defined");
            }
            return t;
        }
    }

    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl$LegacyBuilder.class */
    private static class LegacyBuilder extends SSLContextBuilder {
        private static final String DEFAULT_ALGORITHM = "SunX509";
        private static final String DEFAULT_PROTOCOL = "TLS";
        private static final String JKS_STORE_TYPE_NAME = "JKS";
        private static final String P12_STORE_TYPE_NAME = "PKCS12";
        private final Provider _provider;

        LegacyBuilder(Provider provider) {
            this._provider = provider;
        }

        @Override // com.linkedin.alpini.io.ssl.SSLContextBuilder
        public SSLContext build(String str, String str2) throws Exception {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(toInputStream(str), str2.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str2.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore);
            SSLContext sSLEngineFactoryImpl = SSLEngineFactoryImpl.getInstance("TLS", this._provider);
            sSLEngineFactoryImpl.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
            return sSLEngineFactoryImpl;
        }

        @Override // com.linkedin.alpini.io.ssl.SSLContextBuilder
        public SSLContext build(File file, String str, String str2, File file2, String str3) throws Exception {
            if (!P12_STORE_TYPE_NAME.equalsIgnoreCase(str2) && !"JKS".equalsIgnoreCase(str2)) {
                throw new IllegalArgumentException("Unsupported keyStoreType: " + str2);
            }
            KeyStore keyStore = KeyStore.getInstance(str2);
            keyStore.load(toInputStream(file), str.toCharArray());
            KeyStore keyStore2 = KeyStore.getInstance("JKS");
            keyStore2.load(toInputStream(file2), str3.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore2);
            SSLContext sSLEngineFactoryImpl = SSLEngineFactoryImpl.getInstance("TLS", this._provider);
            sSLEngineFactoryImpl.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
            return sSLEngineFactoryImpl;
        }

        private InputStream toInputStream(String str) {
            return new ByteArrayInputStream(Base64.getDecoder().decode(str));
        }

        private InputStream toInputStream(File file) throws IOException {
            return new ByteArrayInputStream(FileUtils.readFileToByteArray(file));
        }
    }

    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SSLEngineFactoryImpl$SSLContextFactory.class */
    private static class SSLContextFactory {
        private SSLContext _secureContext;
        private static final String DEFAULT_ALGORITHM = "SunX509";
        private static final String DEFAULT_PROTOCOL = "TLS";
        private static final String JKS_STORE_TYPE_NAME = "JKS";
        private static final String P12_STORE_TYPE_NAME = "PKCS12";

        @Deprecated
        SSLContextFactory(String str, String str2) throws Exception {
            this._secureContext = null;
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(toInputStream(str), str2.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str2.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore);
            this._secureContext = SSLContext.getInstance("TLS");
            this._secureContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        }

        SSLContextFactory(File file, String str, String str2, File file2, String str3) throws Exception {
            this._secureContext = null;
            if (!P12_STORE_TYPE_NAME.equalsIgnoreCase(str2) && !"JKS".equalsIgnoreCase(str2)) {
                throw new IllegalArgumentException("Unsupported keyStoreType: " + str2);
            }
            KeyStore keyStore = KeyStore.getInstance(str2);
            keyStore.load(toInputStream(file), str.toCharArray());
            KeyStore keyStore2 = KeyStore.getInstance("JKS");
            keyStore2.load(toInputStream(file2), str3.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore2);
            this._secureContext = SSLContext.getInstance("TLS");
            this._secureContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        }

        private InputStream toInputStream(String str) {
            return new ByteArrayInputStream(Base64.getDecoder().decode(str));
        }

        private InputStream toInputStream(File file) throws IOException {
            return new ByteArrayInputStream(FileUtils.readFileToByteArray(file));
        }

        SSLContext getContext() {
            return this._secureContext;
        }
    }

    public SSLEngineFactoryImpl(Config config) throws Exception {
        this._sslEnabled = config.getSslEnabled();
        if (!this._sslEnabled) {
            this._context = null;
            this._parameters = null;
            return;
        }
        this._keyStoreFilePath = config.getKeyStoreFilePath();
        this._trustStoreFilePath = config.getTrustStoreFilePath();
        this._keyStoreData = config.getKeyStoreData();
        Provider sslContextProvider = config.getSslContextProvider();
        LegacyBuilder legacyBuilder = new LegacyBuilder(sslContextProvider);
        if (StringUtils.isNotBlank(this._keyStoreData)) {
            this._context = new SSLContextFactory(this._keyStoreData, config.getKeyStorePassword()).getContext();
            this._context = legacyBuilder.build(getKeyStoreData(), config.getKeyStorePassword());
        } else {
            if (!StringUtils.isNotBlank(this._keyStoreFilePath) || !StringUtils.isNotBlank(this._trustStoreFilePath)) {
                throw new ConfigHelper.MissingConfigParameterException("Either keyStoreData or (keyStoreFilePath and trustStoreFilePath) must be provided to operate in sslEnabled mode.");
            }
            this._context = new SSLContextFactory(new File(this._keyStoreFilePath), config.getKeyStorePassword(), config.getKeyStoreType(), new File(this._trustStoreFilePath), config.getTrustStoreFilePassword()).getContext();
            this._context = legacyBuilder.build(new File(getKeyStoreFilePath()), config.getKeyStorePassword(), config.getKeyStoreType(), new File(getTrustStoreFilePath()), config.getTrustStoreFilePassword());
        }
        String[] filterDisallowedCiphersuites = filterDisallowedCiphersuites(this._context.getSocketFactory().getSupportedCipherSuites());
        this._parameters = this._context.getDefaultSSLParameters();
        this._parameters.setCipherSuites(filterDisallowedCiphersuites);
        if (config.doesSslRequireClientCerts()) {
            this._parameters.setNeedClientAuth(true);
        } else {
            this._parameters.setWantClientAuth(true);
        }
        Optional ofNullable = Optional.ofNullable(config.getKeyStoreData());
        Predicate predicate = (v0) -> {
            return v0.isEmpty();
        };
        Object orElse = ofNullable.filter(predicate.negate()).orElse(null);
        Function<Function<KeyManagerFactory, SslContextBuilder>, SslContextBuilder> function = com.linkedin.alpini.netty4.http2.SSLContextBuilder.setupContext(sslContextProvider, orElse != null ? orElse : new File(getKeyStoreFilePath()), config.getKeyStorePassword(), config.getKeyStoreType(), orElse != null ? null : new File(getTrustStoreFilePath()), config.getTrustStoreFilePassword(), config.getSessionCacheSize(), config.getSessionTimeout(), config.isPermitHttp2(), config.isUseRefCount());
        Function function2 = config.getUseInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk() ? sslContextBuilder -> {
            return sslContextBuilder.protocols(SslProtocols.TLS_v1);
        } : Function.identity();
        this._serverContext = com.linkedin.alpini.netty4.http2.SSLContextBuilder.build((SslContextBuilder) function2.apply(function.apply(SslContextBuilder::forServer)));
        SslContextBuilder forClient = SslContextBuilder.forClient();
        Objects.requireNonNull(forClient);
        this._clientContext = com.linkedin.alpini.netty4.http2.SSLContextBuilder.build((SslContextBuilder) function2.apply(function.apply(forClient::keyManager)));
        if (sslContextProvider == null || config.getUseInsecureLegacyTlsProtocolBecauseOfBrokenPeersUsingAncientJdk()) {
            return;
        }
        HashSet hashSet = new HashSet(Arrays.asList(getSSLContext().getSocketFactory().getSupportedCipherSuites()));
        SSLParameters sSLParameters = getSSLParameters();
        Stream<String> stream = Http2SecurityUtil.CIPHERS.stream();
        Objects.requireNonNull(hashSet);
        sSLParameters.setCipherSuites((String[]) Stream.concat(stream.filter((v1) -> {
            return r2.contains(v1);
        }), Stream.of((Object[]) getSSLParameters().getCipherSuites())).distinct().toArray(i -> {
            return new String[i];
        }));
    }

    public static String[] filterDisallowedCiphersuites(String[] strArr) throws SSLProtocolException {
        HashSet hashSet = new HashSet();
        Collections.addAll(hashSet, CIPHER_SUITE_ALLOWLIST);
        HashSet hashSet2 = new HashSet();
        Collections.addAll(hashSet2, strArr);
        hashSet2.retainAll(hashSet);
        String[] strArr2 = (String[]) hashSet2.toArray(new String[0]);
        if (strArr2 == null || strArr2.length == 0) {
            throw new SSLProtocolException("No Allowlisted SSL Ciphers Available.");
        }
        return strArr2;
    }

    @Override // com.linkedin.alpini.base.ssl.SslFactory
    public SSLContext getSSLContext() {
        return this._context;
    }

    @Override // com.linkedin.alpini.base.ssl.SslFactory
    public SSLParameters getSSLParameters() {
        return this._parameters;
    }

    @Override // com.linkedin.alpini.base.ssl.SslFactory
    public boolean isSslEnabled() {
        return this._sslEnabled;
    }

    public boolean isSslRequireClientCerts() {
        return this._sslRequireClientCerts;
    }

    public void setSslRequireClientCerts(boolean z) {
        this._sslRequireClientCerts = z;
    }

    @Override // com.linkedin.alpini.netty4.ssl.SSLEngineFactory
    public SslContext context(boolean z) {
        return z ? this._serverContext : this._clientContext;
    }

    @Override // com.linkedin.alpini.netty4.ssl.SSLEngineFactory
    public SSLEngine createSSLEngine(ByteBufAllocator byteBufAllocator, String str, int i, boolean z) {
        return init(context(z).newEngine(byteBufAllocator, str, i), z);
    }

    @Override // com.linkedin.alpini.netty4.ssl.SSLEngineFactory
    public SSLEngine createSSLEngine(ByteBufAllocator byteBufAllocator, boolean z) {
        return init(context(z).newEngine(byteBufAllocator), z);
    }

    private SSLEngine init(SSLEngine sSLEngine, boolean z) {
        if (z && isSslRequireClientCerts()) {
            sSLEngine.setNeedClientAuth(true);
        }
        return sSLEngine;
    }

    @Override // com.linkedin.alpini.netty4.ssl.SSLEngineFactory
    public SSLSessionContext sessionContext(boolean z) {
        return context(z).sessionContext();
    }

    private String getKeyStoreFilePath() {
        return this._keyStoreFilePath;
    }

    private String getTrustStoreFilePath() {
        return this._trustStoreFilePath;
    }

    private String getKeyStoreData() {
        return this._keyStoreData;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SSLContext getInstance(String str, Provider provider) throws NoSuchAlgorithmException {
        return provider == null ? SSLContext.getInstance(str) : SSLContext.getInstance(str, provider);
    }
}
