package org.apache.kafka.common.security.ssl;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.internal.logging.InternalLoggerFactory;
import io.netty.util.internal.logging.Log4JLoggerFactory;
import java.util.Arrays;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.security.ssl.SslEngineBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/NettySslEngineBuilder.class */
public class NettySslEngineBuilder {
    private static final Logger log = LoggerFactory.getLogger(NettySslEngineBuilder.class);
    private final SslContext sslContext;

    public static NettySslEngineBuilder maybeCreate(SslEngineBuilder sslEngineBuilder) {
        if (OpenSsl.isAvailable()) {
            return new NettySslEngineBuilder(createNettySslContext(sslEngineBuilder));
        }
        log.warn("Disabling netty because no OpenSSL is available.");
        return null;
    }

    private static SslContext createNettySslContext(SslEngineBuilder sslEngineBuilder) {
        try {
            if (sslEngineBuilder.keystore() == null) {
                throw new KafkaException("Whe using netty in server mode, a keystore must be configured.");
            }
            SslEngineBuilder.PrivateKeyData loadPrivateKeyData = sslEngineBuilder.keystore().loadPrivateKeyData();
            SslContextBuilder trustManager = SslContextBuilder.forServer(loadPrivateKeyData.key(), loadPrivateKeyData.certificateChain()).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sslProvider(SslProvider.OPENSSL).trustManager(sslEngineBuilder.truststore() == null ? null : sslEngineBuilder.truststore().loadAllCertificates());
            if (sslEngineBuilder.enabledProtocols() != null) {
                trustManager.protocols(sslEngineBuilder.enabledProtocols());
            }
            if (sslEngineBuilder.cipherSuites() != null) {
                trustManager.ciphers(Arrays.asList(sslEngineBuilder.cipherSuites()));
            }
            switch (sslEngineBuilder.sslClientAuth()) {
                case NONE:
                    trustManager.clientAuth(ClientAuth.NONE);
                    break;
                case REQUIRED:
                    trustManager.clientAuth(ClientAuth.REQUIRE);
                    break;
                case REQUESTED:
                    trustManager.clientAuth(ClientAuth.OPTIONAL);
                    break;
            }
            log.info("netty is enabled for SSL context with keystore {}, truststore {}.", sslEngineBuilder.keystore(), sslEngineBuilder.truststore());
            return trustManager.build();
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    private NettySslEngineBuilder(SslContext sslContext) {
        this.sslContext = sslContext;
    }

    public SSLEngine newEngine(String str, int i) {
        return this.sslContext.newEngine(ByteBufAllocator.DEFAULT, str, i);
    }

    static {
        InternalLoggerFactory.setDefaultFactory(Log4JLoggerFactory.INSTANCE);
        System.setProperty("io.netty.handler.ssl.openssl.useTasks", "false");
    }
}
