package io.servicetalk.transport.netty.internal;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSslCertificateCompressionConfig;
import io.netty.handler.ssl.OpenSslContextOption;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslContextOption;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.AttributeKey;
import io.servicetalk.transport.api.CertificateCompressionAlgorithm;
import io.servicetalk.transport.api.ClientSslConfig;
import io.servicetalk.transport.api.ServerSslConfig;
import io.servicetalk.transport.api.SslConfig;
import io.servicetalk.utils.internal.ThrowableUtils;
import java.io.InputStream;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.util.List;
import java.util.function.Supplier;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/servicetalk/transport/netty/internal/SslContextFactory.class */
public final class SslContextFactory {
    static final AttributeKey<Long> HANDSHAKE_TIMEOUT_MILLIS = AttributeKey.newInstance("HANDSHAKE_TIMEOUT_MILLIS");
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SslContextFactory.class);

    @Nullable
    private static final MethodHandle SSL_PROVIDER_OPTION_SUPPORTED;

    private SslContextFactory() {
    }

    public static SslContext forClient(ClientSslConfig clientSslConfig) {
        SslContextBuilder forClient = SslContextBuilder.forClient();
        KeyManagerFactory keyManagerFactory = clientSslConfig.keyManagerFactory();
        if (keyManagerFactory != null) {
            forClient.keyManager(keyManagerFactory);
        } else {
            InputStream inputStream = null;
            InputStream inputStream2 = null;
            try {
                inputStream = (InputStream) supplierNullSafe(clientSslConfig.keyCertChainSupplier());
                inputStream2 = (InputStream) supplierNullSafe(clientSslConfig.keySupplier());
                forClient.keyManager(inputStream, inputStream2, clientSslConfig.keyPassword());
                try {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream);
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                } finally {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                }
            } catch (Throwable th) {
                try {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream);
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                    throw th;
                } catch (Throwable th2) {
                    inputStream2 = inputStream2;
                    throw th2;
                }
            }
        }
        return configureBuilder(clientSslConfig, forClient, false);
    }

    public static SslContext forServer(ServerSslConfig serverSslConfig) {
        SslContextBuilder forServer;
        KeyManagerFactory keyManagerFactory = serverSslConfig.keyManagerFactory();
        if (keyManagerFactory != null) {
            forServer = SslContextBuilder.forServer(keyManagerFactory);
        } else {
            InputStream inputStream = null;
            InputStream inputStream2 = null;
            try {
                inputStream = (InputStream) supplierNullSafe(serverSslConfig.keyCertChainSupplier());
                inputStream2 = (InputStream) supplierNullSafe(serverSslConfig.keySupplier());
                forServer = SslContextBuilder.forServer(inputStream, inputStream2, serverSslConfig.keyPassword());
                try {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream);
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                } finally {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                }
            } catch (Throwable th) {
                try {
                    BuilderUtils.closeAndRethrowUnchecked(inputStream);
                    BuilderUtils.closeAndRethrowUnchecked(inputStream2);
                    throw th;
                } catch (Throwable th2) {
                    inputStream2 = inputStream2;
                    throw th2;
                }
            }
        }
        switch (serverSslConfig.clientAuthMode()) {
            case NONE:
                forServer.clientAuth(ClientAuth.NONE);
                break;
            case OPTIONAL:
                forServer.clientAuth(ClientAuth.OPTIONAL);
                break;
            case REQUIRE:
                forServer.clientAuth(ClientAuth.REQUIRE);
                break;
            default:
                throw new IllegalArgumentException("Unsupported: " + serverSslConfig.clientAuthMode());
        }
        return configureBuilder(serverSslConfig, forServer, true);
    }

    private static void configureTrustManager(SslConfig sslConfig, SslContextBuilder sslContextBuilder) {
        if (sslConfig.trustManagerFactory() != null) {
            sslContextBuilder.trustManager(sslConfig.trustManagerFactory());
            return;
        }
        InputStream inputStream = (InputStream) supplierNullSafe(sslConfig.trustCertChainSupplier());
        try {
            sslContextBuilder.trustManager(inputStream);
        } finally {
            BuilderUtils.closeAndRethrowUnchecked(inputStream);
        }
    }

    private static void configureCertificateCompression(SslConfig sslConfig, SslContextBuilder sslContextBuilder, @Nullable SslProvider sslProvider, boolean z) {
        List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms = sslConfig.certificateCompressionAlgorithms();
        if (certificateCompressionAlgorithms == null || certificateCompressionAlgorithms.isEmpty()) {
            return;
        }
        if (sslProvider == null) {
            sslProvider = z ? SslContext.defaultServerProvider() : SslContext.defaultClientProvider();
        }
        try {
            if (SSL_PROVIDER_OPTION_SUPPORTED != null) {
                if (!(boolean) SSL_PROVIDER_OPTION_SUPPORTED.invokeExact(sslProvider, OpenSslContextOption.CERTIFICATE_COMPRESSION_ALGORITHMS)) {
                    return;
                }
            } else if (sslProvider != SslProvider.OPENSSL) {
                return;
            }
        } catch (Throwable th) {
            ThrowableUtils.throwException(th);
        }
        OpenSslCertificateCompressionConfig.Builder newBuilder = OpenSslCertificateCompressionConfig.newBuilder();
        for (CertificateCompressionAlgorithm certificateCompressionAlgorithm : certificateCompressionAlgorithms) {
            if (certificateCompressionAlgorithm.algorithmId() != 1) {
                throw new IllegalArgumentException("Unsupported: " + certificateCompressionAlgorithm);
            }
            newBuilder.addAlgorithm(ZlibOpenSslCertificateCompressionAlgorithm.INSTANCE, OpenSslCertificateCompressionConfig.AlgorithmMode.Both);
        }
        sslContextBuilder.option(OpenSslContextOption.CERTIFICATE_COMPRESSION_ALGORITHMS, newBuilder.build());
    }

    private static void configureNettyOptions(SslConfig sslConfig, SslContextBuilder sslContextBuilder) {
        int maxCertificateListBytes = sslConfig.maxCertificateListBytes();
        if (maxCertificateListBytes > 0) {
            sslContextBuilder.option(OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES, Integer.valueOf(maxCertificateListBytes));
        }
    }

    private static SslContext configureBuilder(SslConfig sslConfig, SslContextBuilder sslContextBuilder, boolean z) {
        configureTrustManager(sslConfig, sslContextBuilder);
        List<String> alpnProtocols = sslConfig.alpnProtocols();
        SslProvider nettySslProvider = SslUtils.toNettySslProvider(sslConfig.provider(), (alpnProtocols == null || alpnProtocols.isEmpty()) ? false : true);
        sslContextBuilder.sessionCacheSize(sslConfig.sessionCacheSize()).sessionTimeout(sslConfig.sessionTimeout()).applicationProtocolConfig(SslUtils.nettyApplicationProtocol(alpnProtocols)).sslProvider(SslUtils.toNettySslProvider(sslConfig.provider(), (alpnProtocols == null || alpnProtocols.isEmpty()) ? false : true)).protocols(sslConfig.sslProtocols()).ciphers(sslConfig.ciphers());
        configureCertificateCompression(sslConfig, sslContextBuilder, nettySslProvider, z);
        configureNettyOptions(sslConfig, sslContextBuilder);
        try {
            SslContext build = sslContextBuilder.build();
            build.attributes().attr(HANDSHAKE_TIMEOUT_MILLIS).set(Long.valueOf(sslConfig.handshakeTimeout().toMillis()));
            return build;
        } catch (SSLException e) {
            throw new IllegalArgumentException("Failed to build SslContext", e);
        }
    }

    @Nullable
    private static <T> T supplierNullSafe(@Nullable Supplier<T> supplier) {
        if (supplier == null) {
            return null;
        }
        return supplier.get();
    }

    static {
        MethodHandle methodHandle;
        try {
            methodHandle = MethodHandles.publicLookup().findStatic(SslProvider.class, "isOptionSupported", MethodType.methodType(Boolean.TYPE, SslProvider.class, SslContextOption.class));
        } catch (Throwable th) {
            LOGGER.debug("SSLProvider#isOptionSupported(SslProvider, SslContextOption) is available only starting from Netty 4.1.88.Final. Detected Netty version: {}", SslProvider.class.getPackage().getImplementationVersion(), th);
            methodHandle = null;
        }
        SSL_PROVIDER_OPTION_SUPPORTED = methodHandle;
    }
}
