package com.linkedin.alpini.netty4.http2;

import com.linkedin.alpini.base.concurrency.Lazy;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufInputStream;
import io.netty.buffer.Unpooled;
import io.netty.buffer.UnpooledByteBufAllocator;
import io.netty.handler.codec.base64.Base64;
import io.netty.handler.codec.base64.Base64Dialect;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/linkedin/alpini/netty4/http2/SSLContextBuilder.class */
public final class SSLContextBuilder {
    private static final String DEFAULT_ALGORITHM = "SunX509";
    private static final String DEFAULT_PROTOCOL = "TLSv1.2";
    private static final String JKS_STORE_TYPE_NAME = "JKS";
    private static final String P12_STORE_TYPE_NAME = "PKCS12";
    public static final List<String> CIPHERS;
    private static final Supplier<SelfSignedCertificate> SELF_SIGNED_CERTIFICATE_SUPPLER;
    private static final Logger LOG = LogManager.getLogger((Class<?>) SSLContextBuilder.class);
    private static final String[] CLIENT_PROTOCOLS = {"TLSv1.2", "TLSv1.1", "TLSv1"};
    public static final List<String> NO_GCM_CIPHERS = Collections.unmodifiableList(Arrays.asList("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"));
    public static final List<String> WITH_GCM_CIPHERS = Collections.unmodifiableList((List) Stream.concat(Http2SecurityUtil.CIPHERS.stream(), Stream.of((Object[]) new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"})).collect(Collectors.toList()));

    private SSLContextBuilder() {
    }

    private static boolean checkOpenSsl(String str) {
        try {
            return Boolean.TRUE.equals(Class.forName("io.netty.handler.ssl.OpenSsl").getDeclaredMethod(str, new Class[0]).invoke(null, new Object[0]));
        } catch (Throwable th) {
            return false;
        }
    }

    public static boolean useOpenSsl() {
        return Boolean.parseBoolean(System.getProperty("com.linkedin.alpini.netty4.http2.useOpenSsl", "true")) && checkOpenSsl("isAvailable");
    }

    private static SslProvider getProvider(Provider provider, boolean z) {
        return (provider == null && useOpenSsl()) ? z ? SslProvider.OPENSSL_REFCNT : SslProvider.OPENSSL : SslProvider.JDK;
    }

    public static List<String> getCiphers(Provider provider, SslProvider sslProvider) {
        return (provider == null && sslProvider == SslProvider.JDK) ? CIPHERS : WITH_GCM_CIPHERS;
    }

    public static SslContext build(SslContextBuilder sslContextBuilder) throws SSLException {
        try {
            sslContextBuilder.build().newHandler(UnpooledByteBufAllocator.DEFAULT);
        } catch (Throwable th) {
            LOG.error("ALPN not available", th);
            sslContextBuilder.applicationProtocolConfig(null);
        }
        return sslContextBuilder.build();
    }

    private static ApplicationProtocolConfig makeApplicationProtocolConfig(boolean z) {
        if (!useOpenSsl() || checkOpenSsl("isAlpnSupported")) {
            return new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, z ? new String[]{ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1} : new String[]{ApplicationProtocolNames.HTTP_1_1});
        }
        LOG.warn("Unable to configure ALPN with OpenSSL because it is not supported");
        return null;
    }

    public static SslContext makeClientContext(long j, long j2) throws SSLException {
        return makeClientContext(j, j2, true);
    }

    public static SslContext makeClientContext(long j, long j2, boolean z) throws SSLException {
        return makeClientContext(null, j, j2, z);
    }

    public static SslContext makeClientContext(Provider provider, long j, long j2, boolean z) throws SSLException {
        return makeClientContext(provider, j, j2, z, false);
    }

    public static SslContext makeClientContext(Provider provider, long j, long j2, boolean z, boolean z2) throws SSLException {
        SslProvider provider2 = getProvider(provider, z2);
        return build(SslContextBuilder.forClient().sslProvider(provider2).sslContextProvider(provider).protocols("TLSv1.2").ciphers(getCiphers(provider, provider2), SupportedCipherSuiteFilter.INSTANCE).trustManager(InsecureTrustManagerFactory.INSTANCE).sessionCacheSize(j).sessionTimeout(j2).applicationProtocolConfig(makeApplicationProtocolConfig(z)));
    }

    public static SslContext makeClientContext(Object obj, String str, String str2, File file, String str3, long j, long j2) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return makeClientContext(obj, str, str2, file, str3, j, j2, true);
    }

    public static SslContext makeClientContext(Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return makeClientContext(null, obj, str, str2, file, str3, j, j2, z);
    }

    public static SslContext makeClientContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return makeClientContext(provider, obj, str, str2, file, str3, j, j2, z, false);
    }

    public static SslContext makeClientContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z, boolean z2) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return build(setupContext(provider, obj, str, str2, file, str3, j, j2, z, z2).apply(keyManagerFactory -> {
            return SslContextBuilder.forClient().keyManager(keyManagerFactory);
        }));
    }

    private static SelfSignedCertificate constructSelfSignedCertificate() {
        try {
            return new SelfSignedCertificate();
        } catch (CertificateException e) {
            throw new Error(e);
        }
    }

    public static SslContext makeServerContext(long j, long j2) throws SSLException {
        return makeServerContext(j, j2, true);
    }

    public static SslContext makeServerContext(long j, long j2, boolean z) throws SSLException {
        return makeServerContext(null, j, j2, z);
    }

    public static SslContext makeServerContext(Provider provider, long j, long j2, boolean z) throws SSLException {
        return makeServerContext(provider, j, j2, z, false);
    }

    public static SslContext makeServerContext(Provider provider, long j, long j2, boolean z, boolean z2) throws SSLException {
        SslProvider provider2 = getProvider(provider, z2);
        SelfSignedCertificate selfSignedCertificate = SELF_SIGNED_CERTIFICATE_SUPPLER.get();
        return build(SslContextBuilder.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey()).sslProvider(provider2).sslContextProvider(provider).protocols(CLIENT_PROTOCOLS).ciphers(getCiphers(provider, provider2), SupportedCipherSuiteFilter.INSTANCE).sessionCacheSize(j).sessionTimeout(j2).applicationProtocolConfig(makeApplicationProtocolConfig(z)));
    }

    public static SslContext makeServerContext(Object obj, String str, String str2, File file, String str3, long j, long j2) throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
        return makeServerContext(obj, str, str2, file, str3, j, j2, true);
    }

    public static SslContext makeServerContext(Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return makeServerContext(null, obj, str, str2, file, str3, j, j2, z);
    }

    public static SslContext makeServerContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return makeServerContext(provider, obj, str, str2, file, str3, j, j2, z, false);
    }

    public static SslContext makeServerContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z, boolean z2) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return build(setupContext(provider, obj, str, str2, file, str3, j, j2, z, z2).apply(SslContextBuilder::forServer));
    }

    public static Function<Function<KeyManagerFactory, SslContextBuilder>, SslContextBuilder> setupContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        return setupContext(provider, obj, str, str2, file, str3, j, j2, z, false);
    }

    public static Function<Function<KeyManagerFactory, SslContextBuilder>, SslContextBuilder> setupContext(Provider provider, Object obj, String str, String str2, File file, String str3, long j, long j2, boolean z, boolean z2) throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore;
        SslProvider provider2 = getProvider(provider, z2);
        if (!str2.equalsIgnoreCase(P12_STORE_TYPE_NAME) && !str2.equalsIgnoreCase("JKS")) {
            throw new NoSuchAlgorithmException("Unsupported keyStoreType: " + str2);
        }
        KeyStore keyStore2 = KeyStore.getInstance(str2);
        keyStore2.load(toInputStream(obj), str.toCharArray());
        if (file != null) {
            keyStore = KeyStore.getInstance("JKS");
            keyStore.load(toInputStream(file), str3.toCharArray());
        } else {
            keyStore = keyStore2;
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
        keyManagerFactory.init(keyStore2, str.toCharArray());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
        trustManagerFactory.init(keyStore);
        LOG.info("setupContext provider={} sslContextProvider={}", provider2, provider);
        return function -> {
            return ((SslContextBuilder) function.apply(keyManagerFactory)).sslProvider(provider2).sslContextProvider(provider).protocols(CLIENT_PROTOCOLS).ciphers(getCiphers(provider, provider2), SupportedCipherSuiteFilter.INSTANCE).trustManager(trustManagerFactory).sessionCacheSize(j).sessionTimeout(j2).applicationProtocolConfig(makeApplicationProtocolConfig(z));
        };
    }

    private static InputStream toInputStream(Object obj) throws IOException {
        if (!(obj instanceof File)) {
            ByteBuf copiedBuffer = Unpooled.copiedBuffer(obj.toString(), StandardCharsets.US_ASCII);
            return new ByteBufInputStream(Base64.decode(copiedBuffer, copiedBuffer.readerIndex(), copiedBuffer.readableBytes(), Base64Dialect.STANDARD));
        }
        File file = (File) obj;
        int intExact = Math.toIntExact(file.length());
        ByteBuf buffer = Unpooled.buffer(intExact);
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            buffer.writeBytes(fileInputStream, intExact);
            fileInputStream.close();
            return new ByteBufInputStream(buffer);
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static {
        CIPHERS = Boolean.parseBoolean(System.getProperty("com.linkedin.alpini.netty4.http2.useGcmCiphers", "false")) ? WITH_GCM_CIPHERS : NO_GCM_CIPHERS;
        SELF_SIGNED_CERTIFICATE_SUPPLER = Lazy.of(SSLContextBuilder::constructSelfSignedCertificate);
    }
}
