package org.apache.dubbo.remoting.http3;

import java.io.InputStream;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSessionContext;
import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.ssl.AuthPolicy;
import org.apache.dubbo.common.ssl.Cert;
import org.apache.dubbo.common.ssl.CertManager;
import org.apache.dubbo.common.ssl.ProviderCert;
import org.apache.dubbo.netty.shaded.io.netty.buffer.ByteBufAllocator;
import org.apache.dubbo.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator;
import org.apache.dubbo.netty.shaded.io.netty.handler.ssl.ClientAuth;
import org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext;
import org.apache.dubbo.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import org.apache.dubbo.netty.shaded.io.netty.handler.ssl.util.SelfSignedCertificate;
import org.apache.dubbo.netty.shaded.io.netty.incubator.codec.http3.Http3;
import org.apache.dubbo.netty.shaded.io.netty.incubator.codec.quic.QuicSslContext;
import org.apache.dubbo.netty.shaded.io.netty.incubator.codec.quic.QuicSslContextBuilder;

/* loaded from: input_file:org/apache/dubbo/remoting/http3/Http3SslContexts.class */
public final class Http3SslContexts extends SslContext {
    private static final ErrorTypeAwareLogger LOGGER = LoggerFactory.getErrorTypeAwareLogger((Class<?>) Http3SslContexts.class);

    private Http3SslContexts() {
    }

    public static QuicSslContext buildServerSslContext(URL url) {
        ProviderCert providerConnectionConfig = getCertManager(url).getProviderConnectionConfig(url, url.toInetSocketAddress());
        if (providerConnectionConfig == null) {
            return buildSelfSignedServerSslContext(url);
        }
        try {
            InputStream privateKeyInputStream = providerConnectionConfig.getPrivateKeyInputStream();
            try {
                InputStream keyCertChainInputStream = providerConnectionConfig.getKeyCertChainInputStream();
                try {
                    if (keyCertChainInputStream == null || privateKeyInputStream == null) {
                        QuicSslContext buildSelfSignedServerSslContext = buildSelfSignedServerSslContext(url);
                        if (keyCertChainInputStream != null) {
                            keyCertChainInputStream.close();
                        }
                        if (privateKeyInputStream != null) {
                            privateKeyInputStream.close();
                        }
                        return buildSelfSignedServerSslContext;
                    }
                    QuicSslContextBuilder forServer = QuicSslContextBuilder.forServer(toPrivateKey(privateKeyInputStream, providerConnectionConfig.getPassword()), providerConnectionConfig.getPassword(), toX509Certificates(keyCertChainInputStream));
                    InputStream trustCertInputStream = providerConnectionConfig.getTrustCertInputStream();
                    if (trustCertInputStream != null) {
                        try {
                            forServer.trustManager(toX509Certificates(trustCertInputStream)).clientAuth(providerConnectionConfig.getAuthPolicy() == AuthPolicy.CLIENT_AUTH ? ClientAuth.REQUIRE : ClientAuth.OPTIONAL);
                        } catch (Throwable th) {
                            if (trustCertInputStream != null) {
                                try {
                                    trustCertInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    }
                    if (trustCertInputStream != null) {
                        trustCertInputStream.close();
                    }
                    if (keyCertChainInputStream != null) {
                        keyCertChainInputStream.close();
                    }
                    if (privateKeyInputStream != null) {
                        privateKeyInputStream.close();
                    }
                    try {
                        return forServer.applicationProtocols(Http3.supportedApplicationProtocols()).build();
                    } catch (Throwable th3) {
                        throw new IllegalStateException("Build SslSession failed.", th3);
                    }
                } catch (Throwable th4) {
                    if (keyCertChainInputStream != null) {
                        try {
                            keyCertChainInputStream.close();
                        } catch (Throwable th5) {
                            th4.addSuppressed(th5);
                        }
                    }
                    throw th4;
                }
            } catch (Throwable th6) {
                if (privateKeyInputStream != null) {
                    try {
                        privateKeyInputStream.close();
                    } catch (Throwable th7) {
                        th6.addSuppressed(th7);
                    }
                }
                throw th6;
            }
        } catch (IllegalStateException e) {
            throw e;
        } catch (Throwable th8) {
            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", th8);
        }
    }

    private static QuicSslContext buildSelfSignedServerSslContext(URL url) {
        LOGGER.info("Provider cert not configured, build self signed sslContext, url=[{}]", url.toString(""));
        try {
            SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
            return QuicSslContextBuilder.forServer(selfSignedCertificate.privateKey(), (String) null, selfSignedCertificate.certificate()).applicationProtocols(Http3.supportedApplicationProtocols()).build();
        } catch (Throwable th) {
            throw new IllegalStateException("Failed to create self signed certificate, Please import bcpkix jar", th);
        }
    }

    public static QuicSslContext buildClientSslContext(URL url) {
        Cert consumerConnectionConfig = getCertManager(url).getConsumerConnectionConfig(url);
        QuicSslContextBuilder forClient = QuicSslContextBuilder.forClient();
        try {
            if (consumerConnectionConfig == null) {
                LOGGER.info("Consumer cert not configured, build insecure sslContext, url=[{}]", url.toString(""));
                forClient.trustManager(InsecureTrustManagerFactory.INSTANCE);
            } else {
                InputStream trustCertInputStream = consumerConnectionConfig.getTrustCertInputStream();
                try {
                    InputStream privateKeyInputStream = consumerConnectionConfig.getPrivateKeyInputStream();
                    try {
                        InputStream keyCertChainInputStream = consumerConnectionConfig.getKeyCertChainInputStream();
                        if (trustCertInputStream != null) {
                            try {
                                forClient.trustManager(toX509Certificates(trustCertInputStream));
                            } catch (Throwable th) {
                                if (keyCertChainInputStream != null) {
                                    try {
                                        keyCertChainInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                                throw th;
                            }
                        }
                        forClient.keyManager(toPrivateKey(privateKeyInputStream, consumerConnectionConfig.getPassword()), consumerConnectionConfig.getPassword(), toX509Certificates(keyCertChainInputStream));
                        if (keyCertChainInputStream != null) {
                            keyCertChainInputStream.close();
                        }
                        if (privateKeyInputStream != null) {
                            privateKeyInputStream.close();
                        }
                        if (trustCertInputStream != null) {
                            trustCertInputStream.close();
                        }
                    } catch (Throwable th3) {
                        if (privateKeyInputStream != null) {
                            try {
                                privateKeyInputStream.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        }
                        throw th3;
                    }
                } catch (Throwable th5) {
                    if (trustCertInputStream != null) {
                        try {
                            trustCertInputStream.close();
                        } catch (Throwable th6) {
                            th5.addSuppressed(th6);
                        }
                    }
                    throw th5;
                }
            }
            try {
                return forClient.applicationProtocols(Http3.supportedApplicationProtocols()).build();
            } catch (Throwable th7) {
                throw new IllegalStateException("Build SslSession failed.", th7);
            }
        } catch (Throwable th8) {
            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", th8);
        }
    }

    private static CertManager getCertManager(URL url) {
        return (CertManager) url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class);
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public boolean isClient() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public List<String> cipherSuites() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public SSLEngine newEngine(ByteBufAllocator byteBufAllocator) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String str, int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.dubbo.netty.shaded.io.netty.handler.ssl.SslContext
    public SSLSessionContext sessionContext() {
        throw new UnsupportedOperationException();
    }
}
