package org.apache.bookkeeper.tls;

import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.bookkeeper.conf.AbstractConfiguration;
import org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.bookkeeper.conf.ServerConfiguration;
import org.apache.bookkeeper.net.NodeBase;
import org.apache.bookkeeper.shaded.com.google.common.base.Strings;
import org.apache.bookkeeper.tls.SecurityHandlerFactory;
import org.apache.commons.io.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/bookkeeper/tls/TLSContextFactory.class */
public class TLSContextFactory implements SecurityHandlerFactory {
    private static final Logger LOG = LoggerFactory.getLogger(TLSContextFactory.class);
    private static final String TLSCONTEXT_HANDLER_NAME = "tls";
    private String[] protocols;
    private String[] ciphers;
    private SslContext sslContext;

    private String getPasswordFromFile(String str) throws IOException {
        FileInputStream fileInputStream = new FileInputStream(str);
        try {
            File file = new File(str);
            if (file.length() == 0) {
                return NodeBase.ROOT;
            }
            byte[] readFileToByteArray = FileUtils.readFileToByteArray(file);
            fileInputStream.close();
            return new String(readFileToByteArray, "UTF-8");
        } finally {
            fileInputStream.close();
        }
    }

    private KeyStore loadKeyStore(String str, String str2, String str3) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str);
        FileInputStream fileInputStream = new FileInputStream(str2);
        try {
            keyStore.load(fileInputStream, str3.trim().toCharArray());
            fileInputStream.close();
            return keyStore;
        } catch (Throwable th) {
            fileInputStream.close();
            throw th;
        }
    }

    @Override // org.apache.bookkeeper.tls.SecurityHandlerFactory
    public String getHandlerName() {
        return TLSCONTEXT_HANDLER_NAME;
    }

    private KeyManagerFactory initKeyManagerFactory(String str, String str2, String str3) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException {
        if (Strings.isNullOrEmpty(str2)) {
            LOG.error("Key store location cannot be empty when Mutual Authentication is enabled!");
            throw new SecurityException("Key store location cannot be empty when Mutual Authentication is enabled!");
        }
        String str4 = NodeBase.ROOT;
        if (!Strings.isNullOrEmpty(str3)) {
            str4 = getPasswordFromFile(str3);
        }
        KeyStore loadKeyStore = loadKeyStore(str, str2, str4);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeyStore, str4.trim().toCharArray());
        return keyManagerFactory;
    }

    private TrustManagerFactory initTrustManagerFactory(String str, String str2, String str3) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, SecurityException {
        if (Strings.isNullOrEmpty(str2)) {
            LOG.error("Trust Store location cannot be empty!");
            throw new SecurityException("Trust Store location cannot be empty!");
        }
        String str4 = NodeBase.ROOT;
        if (!Strings.isNullOrEmpty(str3)) {
            str4 = getPasswordFromFile(str3);
        }
        KeyStore loadKeyStore = loadKeyStore(str, str2, str4);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(loadKeyStore);
        return trustManagerFactory;
    }

    private SslProvider getTLSProvider(String str) {
        if (!str.trim().equalsIgnoreCase("OpenSSL")) {
            LOG.info("Security provider - JDK");
            return SslProvider.JDK;
        }
        if (OpenSsl.isAvailable()) {
            LOG.info("Security provider - OpenSSL");
            return SslProvider.OPENSSL;
        }
        LOG.warn("OpenSSL Unavailable: ", OpenSsl.unavailabilityCause());
        LOG.info("Security provider - JDK");
        return SslProvider.JDK;
    }

    private void createClientContext(AbstractConfiguration abstractConfiguration) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException {
        KeyManagerFactory keyManagerFactory = null;
        if (!(abstractConfiguration instanceof ClientConfiguration)) {
            throw new SecurityException("Client configruation not provided");
        }
        ClientConfiguration clientConfiguration = (ClientConfiguration) abstractConfiguration;
        SslProvider tLSProvider = getTLSProvider(clientConfiguration.getTLSProvider());
        boolean tLSClientAuthentication = clientConfiguration.getTLSClientAuthentication();
        TrustManagerFactory initTrustManagerFactory = initTrustManagerFactory(clientConfiguration.getTLSTrustStoreType(), clientConfiguration.getTLSTrustStore(), clientConfiguration.getTLSTrustStorePasswordPath());
        if (tLSClientAuthentication) {
            keyManagerFactory = initKeyManagerFactory(clientConfiguration.getTLSKeyStoreType(), clientConfiguration.getTLSKeyStore(), clientConfiguration.getTLSKeyStorePasswordPath());
        }
        SslContextBuilder clientAuth = SslContextBuilder.forClient().trustManager(initTrustManagerFactory).ciphers((Iterable) null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).clientAuth(ClientAuth.REQUIRE);
        if (tLSClientAuthentication) {
            clientAuth.keyManager(keyManagerFactory);
        }
        this.sslContext = clientAuth.build();
    }

    private void createServerContext(AbstractConfiguration abstractConfiguration) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException {
        TrustManagerFactory trustManagerFactory = null;
        if (!(abstractConfiguration instanceof ServerConfiguration)) {
            throw new SecurityException("Server configruation not provided");
        }
        ServerConfiguration serverConfiguration = (ServerConfiguration) abstractConfiguration;
        SslProvider tLSProvider = getTLSProvider(serverConfiguration.getTLSProvider());
        boolean tLSClientAuthentication = serverConfiguration.getTLSClientAuthentication();
        KeyManagerFactory initKeyManagerFactory = initKeyManagerFactory(serverConfiguration.getTLSKeyStoreType(), serverConfiguration.getTLSKeyStore(), serverConfiguration.getTLSKeyStorePasswordPath());
        if (tLSClientAuthentication) {
            trustManagerFactory = initTrustManagerFactory(serverConfiguration.getTLSTrustStoreType(), serverConfiguration.getTLSTrustStore(), serverConfiguration.getTLSTrustStorePasswordPath());
        }
        SslContextBuilder startTls = SslContextBuilder.forServer(initKeyManagerFactory).ciphers((Iterable) null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).startTls(true);
        if (tLSClientAuthentication) {
            startTls.trustManager(trustManagerFactory).clientAuth(ClientAuth.REQUIRE);
        }
        this.sslContext = startTls.build();
    }

    @Override // org.apache.bookkeeper.tls.SecurityHandlerFactory
    public synchronized void init(SecurityHandlerFactory.NodeType nodeType, AbstractConfiguration abstractConfiguration) throws SecurityException {
        String tLSEnabledCipherSuites = abstractConfiguration.getTLSEnabledCipherSuites();
        String tLSEnabledProtocols = abstractConfiguration.getTLSEnabledProtocols();
        try {
            switch (nodeType) {
                case Client:
                    createClientContext(abstractConfiguration);
                    break;
                case Server:
                    createServerContext(abstractConfiguration);
                    break;
                default:
                    throw new SecurityException(new IllegalArgumentException("Invalid NodeType"));
            }
            if (tLSEnabledProtocols != null && !tLSEnabledProtocols.isEmpty()) {
                this.protocols = tLSEnabledProtocols.split(",");
            }
            if (tLSEnabledCipherSuites != null && !tLSEnabledCipherSuites.isEmpty()) {
                this.ciphers = tLSEnabledCipherSuites.split(",");
            }
        } catch (IOException e) {
            throw new SecurityException("Error initializing TLSContext", e);
        } catch (KeyStoreException e2) {
            throw new RuntimeException("Standard keystore type missing", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("Standard algorithm missing", e3);
        } catch (UnrecoverableKeyException e4) {
            throw new SecurityException("Unable to load key manager, possibly wrong password given", e4);
        } catch (CertificateException e5) {
            throw new SecurityException("Unable to load keystore", e5);
        }
    }

    @Override // org.apache.bookkeeper.tls.SecurityHandlerFactory
    public SslHandler newTLSHandler() {
        SslHandler newHandler = this.sslContext.newHandler(PooledByteBufAllocator.DEFAULT);
        if (this.protocols != null && this.protocols.length != 0) {
            newHandler.engine().setEnabledProtocols(this.protocols);
        }
        if (this.ciphers != null && this.ciphers.length != 0) {
            newHandler.engine().setEnabledCipherSuites(this.ciphers);
        }
        return newHandler;
    }
}
