package org.apache.pulsar.shade.org.apache.bookkeeper.tls;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.pulsar.shade.com.google.common.base.Strings;
import org.apache.pulsar.shade.io.netty.buffer.PooledByteBufAllocator;
import org.apache.pulsar.shade.io.netty.handler.ssl.ClientAuth;
import org.apache.pulsar.shade.io.netty.handler.ssl.OpenSsl;
import org.apache.pulsar.shade.io.netty.handler.ssl.SslContext;
import org.apache.pulsar.shade.io.netty.handler.ssl.SslContextBuilder;
import org.apache.pulsar.shade.io.netty.handler.ssl.SslHandler;
import org.apache.pulsar.shade.io.netty.handler.ssl.SslProvider;
import org.apache.pulsar.shade.org.apache.bookkeeper.conf.AbstractConfiguration;
import org.apache.pulsar.shade.org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.pulsar.shade.org.apache.bookkeeper.conf.ServerConfiguration;
import org.apache.pulsar.shade.org.apache.bookkeeper.tls.SecurityHandlerFactory;
import org.apache.pulsar.shade.org.apache.commons.io.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/shade/org/apache/bookkeeper/tls/TLSContextFactory.class */
public class TLSContextFactory implements SecurityHandlerFactory {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TLSContextFactory.class);
    private static final String TLSCONTEXT_HANDLER_NAME = "tls";
    private String[] protocols;
    private String[] ciphers;
    private SslContext sslContext;

    /* loaded from: input_file:org/apache/pulsar/shade/org/apache/bookkeeper/tls/TLSContextFactory$KeyStoreType.class */
    public enum KeyStoreType {
        PKCS12("PKCS12"),
        JKS("JKS"),
        PEM("PEM");

        private String str;

        KeyStoreType(String str) {
            this.str = str;
        }

        @Override // java.lang.Enum
        public String toString() {
            return this.str;
        }
    }

    private String getPasswordFromFile(String str) throws IOException {
        File file = new File(str);
        return file.length() == 0 ? "" : new String(FileUtils.readFileToByteArray(file), "UTF-8");
    }

    @SuppressFBWarnings(value = {"OBL_UNSATISFIED_OBLIGATION"}, justification = "work around for java 9: https://github.com/spotbugs/spotbugs/issues/493")
    private KeyStore loadKeyStore(String str, String str2, String str3) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str);
        FileInputStream fileInputStream = new FileInputStream(str2);
        Throwable th = null;
        try {
            keyStore.load(fileInputStream, str3.trim().toCharArray());
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            return keyStore;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.tls.SecurityHandlerFactory
    public String getHandlerName() {
        return "tls";
    }

    private KeyManagerFactory initKeyManagerFactory(String str, String str2, String str3) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, InvalidKeySpecException {
        if (Strings.isNullOrEmpty(str2)) {
            LOG.error("Key store location cannot be empty when Mutual Authentication is enabled!");
            throw new SecurityException("Key store location cannot be empty when Mutual Authentication is enabled!");
        }
        String passwordFromFile = Strings.isNullOrEmpty(str3) ? "" : getPasswordFromFile(str3);
        KeyStore loadKeyStore = loadKeyStore(str, str2, passwordFromFile);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeyStore, passwordFromFile.trim().toCharArray());
        return keyManagerFactory;
    }

    private TrustManagerFactory initTrustManagerFactory(String str, String str2, String str3) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, SecurityException {
        if (Strings.isNullOrEmpty(str2)) {
            LOG.error("Trust Store location cannot be empty!");
            throw new SecurityException("Trust Store location cannot be empty!");
        }
        KeyStore loadKeyStore = loadKeyStore(str, str2, Strings.isNullOrEmpty(str3) ? "" : getPasswordFromFile(str3));
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(loadKeyStore);
        return trustManagerFactory;
    }

    private SslProvider getTLSProvider(String str) {
        if (!str.trim().equalsIgnoreCase("OpenSSL")) {
            LOG.info("Security provider - JDK");
            return SslProvider.JDK;
        }
        if (OpenSsl.isAvailable()) {
            LOG.info("Security provider - OpenSSL");
            return SslProvider.OPENSSL;
        }
        LOG.warn("OpenSSL Unavailable: ", OpenSsl.unavailabilityCause());
        LOG.info("Security provider - JDK");
        return SslProvider.JDK;
    }

    private void createClientContext(AbstractConfiguration abstractConfiguration) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, InvalidKeySpecException, NoSuchProviderException {
        SslContextBuilder clientAuth;
        if (!(abstractConfiguration instanceof ClientConfiguration)) {
            throw new SecurityException("Client configruation not provided");
        }
        ClientConfiguration clientConfiguration = (ClientConfiguration) abstractConfiguration;
        SslProvider tLSProvider = getTLSProvider(clientConfiguration.getTLSProvider());
        boolean tLSClientAuthentication = clientConfiguration.getTLSClientAuthentication();
        switch (KeyStoreType.valueOf(clientConfiguration.getTLSTrustStoreType())) {
            case PEM:
                if (!Strings.isNullOrEmpty(clientConfiguration.getTLSTrustStore())) {
                    clientAuth = SslContextBuilder.forClient().trustManager(new File(clientConfiguration.getTLSTrustStore())).ciphers(null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).clientAuth(ClientAuth.REQUIRE);
                    break;
                } else {
                    throw new SecurityException("CA Certificate required");
                }
            case JKS:
            case PKCS12:
                clientAuth = SslContextBuilder.forClient().trustManager(initTrustManagerFactory(clientConfiguration.getTLSTrustStoreType(), clientConfiguration.getTLSTrustStore(), clientConfiguration.getTLSTrustStorePasswordPath())).ciphers(null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).clientAuth(ClientAuth.REQUIRE);
                break;
            default:
                throw new SecurityException("Invalid Truststore type: " + clientConfiguration.getTLSTrustStoreType());
        }
        if (tLSClientAuthentication) {
            switch (KeyStoreType.valueOf(clientConfiguration.getTLSKeyStoreType())) {
                case PEM:
                    if (!Strings.isNullOrEmpty(clientConfiguration.getTLSCertificatePath())) {
                        if (!Strings.isNullOrEmpty(clientConfiguration.getTLSKeyStore())) {
                            clientAuth.keyManager(new File(clientConfiguration.getTLSCertificatePath()), new File(clientConfiguration.getTLSKeyStore()), !Strings.isNullOrEmpty(clientConfiguration.getTLSKeyStorePasswordPath()) ? getPasswordFromFile(clientConfiguration.getTLSKeyStorePasswordPath()) : null);
                            break;
                        } else {
                            throw new SecurityException("Valid Key is missing");
                        }
                    } else {
                        throw new SecurityException("Valid Certificate is missing");
                    }
                case JKS:
                case PKCS12:
                    clientAuth.keyManager(initKeyManagerFactory(clientConfiguration.getTLSKeyStoreType(), clientConfiguration.getTLSKeyStore(), clientConfiguration.getTLSKeyStorePasswordPath()));
                    break;
                default:
                    throw new SecurityException("Invalid Keyfile type" + clientConfiguration.getTLSKeyStoreType());
            }
        }
        this.sslContext = clientAuth.build();
    }

    private void createServerContext(AbstractConfiguration abstractConfiguration) throws SecurityException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, InvalidKeySpecException, IllegalArgumentException {
        SslContextBuilder startTls;
        if (!(abstractConfiguration instanceof ServerConfiguration)) {
            throw new SecurityException("Server configruation not provided");
        }
        ServerConfiguration serverConfiguration = (ServerConfiguration) abstractConfiguration;
        SslProvider tLSProvider = getTLSProvider(serverConfiguration.getTLSProvider());
        boolean tLSClientAuthentication = serverConfiguration.getTLSClientAuthentication();
        switch (KeyStoreType.valueOf(serverConfiguration.getTLSKeyStoreType())) {
            case PEM:
                if (!Strings.isNullOrEmpty(serverConfiguration.getTLSKeyStore())) {
                    if (!Strings.isNullOrEmpty(serverConfiguration.getTLSCertificatePath())) {
                        startTls = SslContextBuilder.forServer(new File(serverConfiguration.getTLSCertificatePath()), new File(serverConfiguration.getTLSKeyStore()), !Strings.isNullOrEmpty(serverConfiguration.getTLSKeyStorePasswordPath()) ? getPasswordFromFile(serverConfiguration.getTLSKeyStorePasswordPath()) : null).ciphers(null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).startTls(true);
                        break;
                    } else {
                        throw new SecurityException("Certificate path is required");
                    }
                } else {
                    throw new SecurityException("Key path is required");
                }
            case JKS:
            case PKCS12:
                startTls = SslContextBuilder.forServer(initKeyManagerFactory(serverConfiguration.getTLSKeyStoreType(), serverConfiguration.getTLSKeyStore(), serverConfiguration.getTLSKeyStorePasswordPath())).ciphers(null).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(tLSProvider).startTls(true);
                break;
            default:
                throw new SecurityException("Invalid Keyfile type" + serverConfiguration.getTLSKeyStoreType());
        }
        if (tLSClientAuthentication) {
            startTls.clientAuth(ClientAuth.REQUIRE);
            switch (KeyStoreType.valueOf(serverConfiguration.getTLSTrustStoreType())) {
                case PEM:
                    if (!Strings.isNullOrEmpty(serverConfiguration.getTLSTrustStore())) {
                        startTls.trustManager(new File(serverConfiguration.getTLSTrustStore()));
                        break;
                    } else {
                        throw new SecurityException("CA Certificate chain is required");
                    }
                case JKS:
                case PKCS12:
                    startTls.trustManager(initTrustManagerFactory(serverConfiguration.getTLSTrustStoreType(), serverConfiguration.getTLSTrustStore(), serverConfiguration.getTLSTrustStorePasswordPath()));
                    break;
                default:
                    throw new SecurityException("Invalid Truststore type" + serverConfiguration.getTLSTrustStoreType());
            }
        }
        this.sslContext = startTls.build();
    }

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.tls.SecurityHandlerFactory
    public synchronized void init(SecurityHandlerFactory.NodeType nodeType, AbstractConfiguration abstractConfiguration) throws SecurityException {
        String tLSEnabledCipherSuites = abstractConfiguration.getTLSEnabledCipherSuites();
        String tLSEnabledProtocols = abstractConfiguration.getTLSEnabledProtocols();
        try {
            switch (nodeType) {
                case Client:
                    createClientContext(abstractConfiguration);
                    break;
                case Server:
                    createServerContext(abstractConfiguration);
                    break;
                default:
                    throw new SecurityException(new IllegalArgumentException("Invalid NodeType"));
            }
            if (tLSEnabledProtocols != null && !tLSEnabledProtocols.isEmpty()) {
                this.protocols = tLSEnabledProtocols.split(",");
            }
            if (tLSEnabledCipherSuites != null && !tLSEnabledCipherSuites.isEmpty()) {
                this.ciphers = tLSEnabledCipherSuites.split(",");
            }
        } catch (IOException e) {
            throw new SecurityException("Error initializing SSLContext", e);
        } catch (IllegalArgumentException e2) {
            throw new SecurityException("Invalid TLS configuration", e2);
        } catch (KeyStoreException e3) {
            throw new RuntimeException("Standard keystore type missing", e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException("Standard algorithm missing", e4);
        } catch (NoSuchProviderException e5) {
            throw new SecurityException("No such provider", e5);
        } catch (UnrecoverableKeyException e6) {
            throw new SecurityException("Unable to load key manager, possibly bad password", e6);
        } catch (CertificateException e7) {
            throw new SecurityException("Unable to load keystore", e7);
        } catch (InvalidKeySpecException e8) {
            throw new SecurityException("Unable to load key manager", e8);
        }
    }

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.tls.SecurityHandlerFactory
    public SslHandler newTLSHandler() {
        SslHandler newHandler = this.sslContext.newHandler(PooledByteBufAllocator.DEFAULT);
        if (this.protocols != null && this.protocols.length != 0) {
            newHandler.engine().setEnabledProtocols(this.protocols);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Enabled cipher protocols: {} ", Arrays.toString(newHandler.engine().getEnabledProtocols()));
        }
        if (this.ciphers != null && this.ciphers.length != 0) {
            newHandler.engine().setEnabledCipherSuites(this.ciphers);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Enabled cipher suites: {} ", Arrays.toString(newHandler.engine().getEnabledCipherSuites()));
        }
        return newHandler;
    }
}
