package org.apache.zookeeper.common;

import io.netty.handler.ssl.DelegatingSslContext;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import org.apache.flume.source.http.BLOBHandler;
import org.apache.zookeeper.client.ZKClientConfig;
import org.apache.zookeeper.common.X509Exception;
import org.apache.zookeeper.common.X509Util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/zookeeper-3.9.3.jar:org/apache/zookeeper/common/ClientX509Util.class */
public class ClientX509Util extends X509Util {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ClientX509Util.class);
    private final String sslAuthProviderProperty = getConfigPrefix() + "authProvider";
    private final String sslProviderProperty = getConfigPrefix() + "sslProvider";

    @Override // org.apache.zookeeper.common.X509Util
    protected String getConfigPrefix() {
        return "zookeeper.ssl.";
    }

    @Override // org.apache.zookeeper.common.X509Util
    protected boolean shouldVerifyClientHostname() {
        return false;
    }

    public String getSslAuthProviderProperty() {
        return this.sslAuthProviderProperty;
    }

    public String getSslProviderProperty() {
        return this.sslProviderProperty;
    }

    public SslContext createNettySslContextForClient(ZKConfig zKConfig) throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
        String property = zKConfig.getProperty(getSslKeystoreLocationProperty(), "");
        String passwordFromConfigPropertyOrFile = getPasswordFromConfigPropertyOrFile(zKConfig, getSslKeystorePasswdProperty(), getSslKeystorePasswdPathProperty());
        String property2 = zKConfig.getProperty(getSslKeystoreTypeProperty());
        SslContextBuilder forClient = SslContextBuilder.forClient();
        if (property.isEmpty()) {
            LOG.warn("{} not specified", getSslKeystoreLocationProperty());
        } else {
            forClient.keyManager(createKeyManager(property, passwordFromConfigPropertyOrFile, property2));
        }
        TrustManager trustManager = getTrustManager(zKConfig);
        if (trustManager != null) {
            forClient.trustManager(trustManager);
        }
        forClient.enableOcsp(zKConfig.getBoolean(getSslOcspEnabledProperty()));
        forClient.protocols(getEnabledProtocols(zKConfig));
        Iterable<String> cipherSuites = getCipherSuites(zKConfig);
        if (cipherSuites != null) {
            forClient.ciphers(cipherSuites);
        }
        forClient.sslProvider(getSslProvider(zKConfig));
        SslContext build = forClient.build();
        return (getFipsMode(zKConfig) && isServerHostnameVerificationEnabled(zKConfig)) ? addHostnameVerification(build, "Server") : build;
    }

    public SslContext createNettySslContextForServer(ZKConfig zKConfig) throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
        String property = zKConfig.getProperty(getSslKeystoreLocationProperty(), "");
        String passwordFromConfigPropertyOrFile = getPasswordFromConfigPropertyOrFile(zKConfig, getSslKeystorePasswdProperty(), getSslKeystorePasswdPathProperty());
        String property2 = zKConfig.getProperty(getSslKeystoreTypeProperty());
        if (property.isEmpty()) {
            throw new X509Exception.SSLContextException("Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
        }
        return createNettySslContextForServer(zKConfig, createKeyManager(property, passwordFromConfigPropertyOrFile, property2), getTrustManager(zKConfig));
    }

    public SslContext createNettySslContextForServer(ZKConfig zKConfig, KeyManager keyManager, TrustManager trustManager) throws SSLException {
        SslContextBuilder forServer = SslContextBuilder.forServer(keyManager);
        if (trustManager != null) {
            forServer.trustManager(trustManager);
        }
        forServer.enableOcsp(zKConfig.getBoolean(getSslOcspEnabledProperty()));
        forServer.protocols(getEnabledProtocols(zKConfig));
        forServer.clientAuth(getClientAuth(zKConfig).toNettyClientAuth());
        Iterable<String> cipherSuites = getCipherSuites(zKConfig);
        if (cipherSuites != null) {
            forServer.ciphers(cipherSuites);
        }
        forServer.sslProvider(getSslProvider(zKConfig));
        SslContext build = forServer.build();
        return (getFipsMode(zKConfig) && isClientHostnameVerificationEnabled(zKConfig)) ? addHostnameVerification(build, ZKClientConfig.LOGIN_CONTEXT_NAME_KEY_DEFAULT) : build;
    }

    private SslContext addHostnameVerification(SslContext sslContext, final String str) {
        return new DelegatingSslContext(sslContext) { // from class: org.apache.zookeeper.common.ClientX509Util.1
            @Override // io.netty.handler.ssl.DelegatingSslContext
            protected void initEngine(SSLEngine sSLEngine) {
                SSLParameters sSLParameters = sSLEngine.getSSLParameters();
                sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
                sSLEngine.setSSLParameters(sSLParameters);
                if (ClientX509Util.LOG.isDebugEnabled()) {
                    ClientX509Util.LOG.debug("{} hostname verification: enabled HTTPS style endpoint identification algorithm", str);
                }
            }
        };
    }

    private String[] getEnabledProtocols(ZKConfig zKConfig) {
        String property = zKConfig.getProperty(getSslEnabledProtocolsProperty());
        return property == null ? new String[]{zKConfig.getProperty(getSslProtocolProperty(), DEFAULT_PROTOCOL)} : property.split(BLOBHandler.PARAMETER_SEPARATOR);
    }

    private X509Util.ClientAuth getClientAuth(ZKConfig zKConfig) {
        return X509Util.ClientAuth.fromPropertyValue(zKConfig.getProperty(getSslClientAuthProperty()));
    }

    private Iterable<String> getCipherSuites(ZKConfig zKConfig) {
        String property = zKConfig.getProperty(getSslCipherSuitesProperty());
        if (property != null) {
            return Arrays.asList(property.split(BLOBHandler.PARAMETER_SEPARATOR));
        }
        if (getSslProvider(zKConfig) != SslProvider.JDK) {
            return null;
        }
        return Arrays.asList(X509Util.getDefaultCipherSuites());
    }

    public SslProvider getSslProvider(ZKConfig zKConfig) {
        return SslProvider.valueOf(zKConfig.getProperty(getSslProviderProperty(), "JDK"));
    }

    private TrustManager getTrustManager(ZKConfig zKConfig) throws X509Exception.TrustManagerException {
        String property = zKConfig.getProperty(getSslTruststoreLocationProperty(), "");
        String passwordFromConfigPropertyOrFile = getPasswordFromConfigPropertyOrFile(zKConfig, getSslTruststorePasswdProperty(), getSslTruststorePasswdPathProperty());
        String property2 = zKConfig.getProperty(getSslTruststoreTypeProperty());
        boolean z = zKConfig.getBoolean(getSslCrlEnabledProperty());
        boolean z2 = zKConfig.getBoolean(getSslOcspEnabledProperty());
        boolean isServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(zKConfig);
        boolean isClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(zKConfig);
        if (!property.isEmpty()) {
            return createTrustManager(property, passwordFromConfigPropertyOrFile, property2, z, z2, isServerHostnameVerificationEnabled, isClientHostnameVerificationEnabled, getFipsMode(zKConfig));
        }
        LOG.warn("{} not specified", getSslTruststoreLocationProperty());
        return null;
    }
}
