package io.vertx.core.net.impl;

import io.netty.buffer.ByteBufAllocator;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.DelegatingSslContext;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SniHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.AsyncMapping;
import io.netty.util.concurrent.ImmediateExecutor;
import io.vertx.core.Future;
import io.vertx.core.Promise;
import io.vertx.core.VertxException;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.file.FileSystem;
import io.vertx.core.http.ClientAuth;
import io.vertx.core.impl.ContextInternal;
import io.vertx.core.impl.VertxInternal;
import io.vertx.core.impl.future.PromiseInternal;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.net.ClientOptionsBase;
import io.vertx.core.net.JdkSSLEngineOptions;
import io.vertx.core.net.KeyCertOptions;
import io.vertx.core.net.NetClientOptions;
import io.vertx.core.net.NetServerOptions;
import io.vertx.core.net.OpenSSLEngineOptions;
import io.vertx.core.net.SSLEngineOptions;
import io.vertx.core.net.SocketAddress;
import io.vertx.core.net.TCPSSLOptions;
import io.vertx.core.net.TrustOptions;
import io.vertx.core.spi.tls.DefaultSslContextFactory;
import io.vertx.core.spi.tls.SslContextFactory;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/vertx/core/net/impl/SSLHelper.class */
public class SSLHelper {
    private static final EnumMap<ClientAuth, io.netty.handler.ssl.ClientAuth> CLIENT_AUTH_MAPPING = new EnumMap<>(ClientAuth.class);
    private static final Logger log;
    private final boolean ssl;
    private final boolean sni;
    private final long sslHandshakeTimeout;
    private final TimeUnit sslHandshakeTimeoutUnit;
    private final boolean trustAll;
    private final ClientAuth clientAuth;
    private final boolean client;
    private final boolean useAlpn;
    private final Set<String> enabledProtocols;
    private final String endpointIdentificationAlgorithm;
    private final SSLEngineOptions sslEngineOptions;
    private final KeyCertOptions keyCertOptions;
    private final TrustOptions trustOptions;
    private final ArrayList<String> crlPaths;
    private final ArrayList<Buffer> crlValues;
    private final Set<String> enabledCipherSuites;
    private final List<String> applicationProtocols;
    private final boolean useWorkerPool;
    private Future<Supplier<SslContextFactory>> sslProvider;
    private SslContext[] sslContexts = new SslContext[2];
    private Map<String, SslContext>[] sslContextMaps = {new ConcurrentHashMap(), new ConcurrentHashMap()};

    public static SSLEngineOptions resolveEngineOptions(SSLEngineOptions sSLEngineOptions, boolean z) {
        if (sSLEngineOptions == null && z) {
            if (JdkSSLEngineOptions.isAlpnAvailable()) {
                sSLEngineOptions = new JdkSSLEngineOptions();
            } else if (OpenSSLEngineOptions.isAlpnAvailable()) {
                sSLEngineOptions = new OpenSSLEngineOptions();
            }
        }
        if (sSLEngineOptions == null) {
            sSLEngineOptions = new JdkSSLEngineOptions();
        } else if ((sSLEngineOptions instanceof OpenSSLEngineOptions) && !OpenSsl.isAvailable()) {
            VertxException vertxException = new VertxException("OpenSSL is not available");
            Throwable unavailabilityCause = OpenSsl.unavailabilityCause();
            if (unavailabilityCause != null) {
                vertxException.initCause(unavailabilityCause);
            }
            throw vertxException;
        }
        if (z) {
            if ((sSLEngineOptions instanceof JdkSSLEngineOptions) && !JdkSSLEngineOptions.isAlpnAvailable()) {
                throw new VertxException("ALPN not available for JDK SSL/TLS engine");
            }
            if ((sSLEngineOptions instanceof OpenSSLEngineOptions) && !OpenSSLEngineOptions.isAlpnAvailable()) {
                throw new VertxException("ALPN is not available for OpenSSL SSL/TLS engine");
            }
        }
        return sSLEngineOptions;
    }

    public SSLHelper(TCPSSLOptions tCPSSLOptions, List<String> list) {
        this.sslEngineOptions = tCPSSLOptions.getSslEngineOptions();
        this.crlPaths = new ArrayList<>(tCPSSLOptions.getCrlPaths());
        this.crlValues = new ArrayList<>(tCPSSLOptions.getCrlValues());
        this.enabledCipherSuites = new HashSet(tCPSSLOptions.getEnabledCipherSuites());
        this.ssl = tCPSSLOptions.isSsl();
        this.sslHandshakeTimeout = tCPSSLOptions.getSslHandshakeTimeout();
        this.sslHandshakeTimeoutUnit = tCPSSLOptions.getSslHandshakeTimeoutUnit();
        this.useAlpn = tCPSSLOptions.isUseAlpn();
        this.enabledProtocols = tCPSSLOptions.getEnabledSecureTransportProtocols();
        this.client = tCPSSLOptions instanceof ClientOptionsBase;
        this.trustAll = (tCPSSLOptions instanceof ClientOptionsBase) && ((ClientOptionsBase) tCPSSLOptions).isTrustAll();
        this.keyCertOptions = tCPSSLOptions.getKeyCertOptions() != null ? tCPSSLOptions.getKeyCertOptions().copy() : null;
        this.trustOptions = tCPSSLOptions.getTrustOptions() != null ? tCPSSLOptions.getTrustOptions().copy() : null;
        this.clientAuth = tCPSSLOptions instanceof NetServerOptions ? ((NetServerOptions) tCPSSLOptions).getClientAuth() : ClientAuth.NONE;
        this.endpointIdentificationAlgorithm = tCPSSLOptions instanceof NetClientOptions ? ((NetClientOptions) tCPSSLOptions).getHostnameVerificationAlgorithm() : "";
        this.sni = (tCPSSLOptions instanceof NetServerOptions) && ((NetServerOptions) tCPSSLOptions).isSni();
        this.applicationProtocols = list;
        this.useWorkerPool = this.sslEngineOptions == null ? false : this.sslEngineOptions.getUseWorkerThread();
    }

    public boolean isSSL() {
        return this.ssl;
    }

    public boolean isSNI() {
        return this.sni;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void configureEngine(SSLEngine sSLEngine, String str) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(this.enabledProtocols);
        linkedHashSet.retainAll(Arrays.asList(sSLEngine.getSupportedProtocols()));
        if (linkedHashSet.isEmpty()) {
            log.warn("no SSL/TLS protocols are enabled due to configuration restrictions");
        }
        sSLEngine.setEnabledProtocols((String[]) linkedHashSet.toArray(new String[linkedHashSet.size()]));
        if (this.client && !this.endpointIdentificationAlgorithm.isEmpty()) {
            SSLParameters sSLParameters = sSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(this.endpointIdentificationAlgorithm);
            sSLEngine.setSSLParameters(sSLParameters);
        }
        if (str != null) {
            SSLParameters sSLParameters2 = sSLEngine.getSSLParameters();
            sSLParameters2.setServerNames(Collections.singletonList(new SNIHostName(str)));
            sSLEngine.setSSLParameters(sSLParameters2);
        }
    }

    public synchronized Future<Void> init(ContextInternal contextInternal) {
        Future<Supplier<SslContextFactory>> future = this.sslProvider;
        if (future == null) {
            if (this.keyCertOptions != null || this.trustOptions != null || this.trustAll || this.ssl) {
                Promise promise = Promise.promise();
                future = promise.future();
                contextInternal.executeBlockingInternal(promise2 -> {
                    try {
                        getTrustMgrFactory(contextInternal.owner(), null, false);
                        KeyManagerFactory keyMgrFactory = getKeyMgrFactory(contextInternal.owner());
                        if (this.client || keyMgrFactory != null) {
                            promise2.complete();
                        } else {
                            promise2.fail("Key/certificate is mandatory for SSL");
                        }
                    } catch (Exception e) {
                        promise2.fail(e);
                    }
                }).compose(r5 -> {
                    return contextInternal.executeBlockingInternal(promise3 -> {
                        try {
                            SSLEngineOptions resolveEngineOptions = resolveEngineOptions(this.sslEngineOptions, this.useAlpn);
                            resolveEngineOptions.getClass();
                            promise3.complete(resolveEngineOptions::sslContextFactory);
                        } catch (Exception e) {
                            promise3.fail(e);
                        }
                    });
                }).onComplete2(promise);
            } else {
                future = Future.succeededFuture(() -> {
                    return new DefaultSslContextFactory(SslProvider.JDK, false);
                });
            }
            this.sslProvider = future;
        }
        PromiseInternal promise3 = contextInternal.promise();
        future.mapEmpty().onComplete2(promise3);
        return promise3.future();
    }

    public AsyncMapping<? super String, ? extends SslContext> serverNameMapper(ContextInternal contextInternal) {
        return (str, promise) -> {
            contextInternal.executeBlockingInternal(promise -> {
                SslContext createContext = createContext(contextInternal.owner(), str, this.useAlpn, this.client, this.trustAll);
                if (createContext != null) {
                    createContext = new DelegatingSslContext(createContext) { // from class: io.vertx.core.net.impl.SSLHelper.1
                        @Override // io.netty.handler.ssl.DelegatingSslContext
                        protected void initEngine(SSLEngine sSLEngine) {
                            SSLHelper.this.configureEngine(sSLEngine, str);
                        }
                    };
                }
                promise.complete(createContext);
            }, asyncResult -> {
                if (asyncResult.succeeded()) {
                    promise.setSuccess(asyncResult.result());
                } else {
                    promise.setFailure(asyncResult.cause());
                }
            });
            return promise;
        };
    }

    public SSLEngine createEngine(VertxInternal vertxInternal) {
        SSLEngine newEngine = createContext(vertxInternal).newEngine(ByteBufAllocator.DEFAULT);
        configureEngine(newEngine, null);
        return newEngine;
    }

    public SslContext createContext(VertxInternal vertxInternal) {
        return createContext(vertxInternal, null, this.useAlpn, this.client, this.trustAll);
    }

    public SslContext createContext(VertxInternal vertxInternal, String str, boolean z, boolean z2, boolean z3) {
        boolean z4 = !z;
        if (str != null) {
            return this.sslContextMaps[z4 ? 1 : 0].computeIfAbsent(str, str2 -> {
                return createContext2(vertxInternal, str, z, z2, z3);
            });
        }
        if (this.sslContexts[z4 ? 1 : 0] == null) {
            this.sslContexts[z4 ? 1 : 0] = createContext2(vertxInternal, str, z, z2, z3);
        }
        return this.sslContexts[z4 ? 1 : 0];
    }

    public SslContext sslContext(VertxInternal vertxInternal, final String str, boolean z) {
        return new DelegatingSslContext(createContext(vertxInternal, null, z, this.client, this.trustAll)) { // from class: io.vertx.core.net.impl.SSLHelper.2
            @Override // io.netty.handler.ssl.DelegatingSslContext
            protected void initEngine(SSLEngine sSLEngine) {
                SSLHelper.this.configureEngine(sSLEngine, str);
            }
        };
    }

    private SslContext createContext2(VertxInternal vertxInternal, String str, boolean z, boolean z2, boolean z3) {
        try {
            TrustManagerFactory trustMgrFactory = getTrustMgrFactory(vertxInternal, str, z3);
            KeyManagerFactory keyMgrFactory = getKeyMgrFactory(vertxInternal, str);
            SslContextFactory applicationProtocols = this.sslProvider.result().get().useAlpn(z).forClient(z2).enabledCipherSuites(this.enabledCipherSuites).applicationProtocols(this.applicationProtocols);
            if (!z2) {
                applicationProtocols.clientAuth(CLIENT_AUTH_MAPPING.get(this.clientAuth));
            }
            if (keyMgrFactory != null) {
                applicationProtocols.keyMananagerFactory(keyMgrFactory);
            }
            if (trustMgrFactory != null) {
                applicationProtocols.trustManagerFactory(trustMgrFactory);
            }
            if (str != null) {
                applicationProtocols.serverName(str);
            }
            return applicationProtocols.create();
        } catch (Exception e) {
            throw new VertxException(e);
        }
    }

    public SslHandler createSslHandler(VertxInternal vertxInternal, String str) {
        return createSslHandler(vertxInternal, null, str);
    }

    public SslHandler createSslHandler(VertxInternal vertxInternal, SocketAddress socketAddress, String str) {
        return createSslHandler(vertxInternal, socketAddress, str, this.useAlpn);
    }

    public SslHandler createSslHandler(VertxInternal vertxInternal, SocketAddress socketAddress, String str, boolean z) {
        SslContext sslContext = sslContext(vertxInternal, str, z);
        Executor executor = this.useWorkerPool ? vertxInternal.getInternalWorkerPool().executor() : ImmediateExecutor.INSTANCE;
        SslHandler newHandler = (socketAddress == null || socketAddress.isDomainSocket()) ? sslContext.newHandler(ByteBufAllocator.DEFAULT, executor) : sslContext.newHandler(ByteBufAllocator.DEFAULT, socketAddress.host(), socketAddress.port(), executor);
        newHandler.setHandshakeTimeout(this.sslHandshakeTimeout, this.sslHandshakeTimeoutUnit);
        return newHandler;
    }

    public SniHandler createSniHandler(ContextInternal contextInternal) {
        return new VertxSniHandler(serverNameMapper(contextInternal), this.useWorkerPool ? contextInternal.owner().getInternalWorkerPool().executor() : ImmediateExecutor.INSTANCE, this.sslHandshakeTimeoutUnit.toMillis(this.sslHandshakeTimeout));
    }

    public ChannelHandler createHandler(ContextInternal contextInternal) {
        return this.sni ? createSniHandler(contextInternal) : createSslHandler(contextInternal.owner(), null);
    }

    private KeyManagerFactory getKeyMgrFactory(VertxInternal vertxInternal, String str) throws Exception {
        X509KeyManager apply;
        KeyManagerFactory keyManagerFactory = null;
        if (str != null && (apply = this.keyCertOptions.keyManagerMapper(vertxInternal).apply(str)) != null) {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setKeyEntry("key", apply.getPrivateKey(null), new char[0], apply.getCertificateChain(null));
            keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, new char[0]);
        }
        if (keyManagerFactory == null) {
            keyManagerFactory = getKeyMgrFactory(vertxInternal);
        }
        return keyManagerFactory;
    }

    private KeyManagerFactory getKeyMgrFactory(VertxInternal vertxInternal) throws Exception {
        if (this.keyCertOptions == null) {
            return null;
        }
        return this.keyCertOptions.getKeyManagerFactory(vertxInternal);
    }

    private TrustManagerFactory getTrustMgrFactory(VertxInternal vertxInternal, String str, boolean z) throws Exception {
        TrustManagerFactory trustManagerFactory;
        TrustManager[] trustManagerArr = null;
        if (z) {
            trustManagerArr = new TrustManager[]{createTrustAllTrustManager()};
        } else if (this.trustOptions != null) {
            if (str != null) {
                Function<String, TrustManager[]> trustManagerMapper = this.trustOptions.trustManagerMapper(vertxInternal);
                if (trustManagerMapper != null) {
                    trustManagerArr = trustManagerMapper.apply(str);
                }
                if (trustManagerArr == null && (trustManagerFactory = this.trustOptions.getTrustManagerFactory(vertxInternal)) != null) {
                    trustManagerArr = trustManagerFactory.getTrustManagers();
                }
            } else {
                TrustManagerFactory trustManagerFactory2 = this.trustOptions.getTrustManagerFactory(vertxInternal);
                if (trustManagerFactory2 != null) {
                    trustManagerArr = trustManagerFactory2.getTrustManagers();
                }
            }
        }
        if (trustManagerArr == null) {
            return null;
        }
        if (this.crlPaths != null && this.crlValues != null && (this.crlPaths.size() > 0 || this.crlValues.size() > 0)) {
            Stream map = this.crlPaths.stream().map(str2 -> {
                return vertxInternal.resolveFile(str2).getAbsolutePath();
            });
            FileSystem fileSystem = vertxInternal.fileSystem();
            fileSystem.getClass();
            Stream concat = Stream.concat(map.map(fileSystem::readFileBlocking), this.crlValues.stream());
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ArrayList arrayList = new ArrayList();
            Iterator it = ((List) concat.collect(Collectors.toList())).iterator();
            while (it.hasNext()) {
                arrayList.addAll(certificateFactory.generateCRLs(new ByteArrayInputStream(((Buffer) it.next()).getBytes())));
            }
            trustManagerArr = createUntrustRevokedCertTrustManager(trustManagerArr, arrayList);
        }
        return new VertxTrustManagerFactory(trustManagerArr);
    }

    private static TrustManager[] createUntrustRevokedCertTrustManager(TrustManager[] trustManagerArr, final ArrayList<CRL> arrayList) {
        TrustManager[] trustManagerArr2 = (TrustManager[]) trustManagerArr.clone();
        for (int i = 0; i < trustManagerArr2.length; i++) {
            TrustManager trustManager = trustManagerArr2[i];
            if (trustManager instanceof X509TrustManager) {
                final X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                trustManagerArr2[i] = new X509TrustManager() { // from class: io.vertx.core.net.impl.SSLHelper.3
                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        checkRevoked(x509CertificateArr);
                        x509TrustManager.checkClientTrusted(x509CertificateArr, str);
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        checkRevoked(x509CertificateArr);
                        x509TrustManager.checkServerTrusted(x509CertificateArr, str);
                    }

                    private void checkRevoked(X509Certificate[] x509CertificateArr) throws CertificateException {
                        for (X509Certificate x509Certificate : x509CertificateArr) {
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                if (((CRL) it.next()).isRevoked(x509Certificate)) {
                                    throw new CertificateException("Certificate revoked");
                                }
                            }
                        }
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return x509TrustManager.getAcceptedIssuers();
                    }
                };
            }
        }
        return trustManagerArr2;
    }

    private static TrustManager createTrustAllTrustManager() {
        return new X509TrustManager() { // from class: io.vertx.core.net.impl.SSLHelper.4
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        };
    }

    static {
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.netty.handler.ssl.ClientAuth>) ClientAuth.REQUIRED, (ClientAuth) io.netty.handler.ssl.ClientAuth.REQUIRE);
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.netty.handler.ssl.ClientAuth>) ClientAuth.REQUEST, (ClientAuth) io.netty.handler.ssl.ClientAuth.OPTIONAL);
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.netty.handler.ssl.ClientAuth>) ClientAuth.NONE, (ClientAuth) io.netty.handler.ssl.ClientAuth.NONE);
        log = LoggerFactory.getLogger((Class<?>) SSLHelper.class);
    }
}
