package org.apache.dubbo.rpc.protocol.rest.netty.ssl;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.io.InputStream;
import java.security.Provider;
import java.security.Security;
import javax.net.ssl.SSLException;
import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.ssl.AuthPolicy;
import org.apache.dubbo.common.ssl.Cert;
import org.apache.dubbo.common.ssl.CertManager;
import org.apache.dubbo.common.ssl.ProviderCert;

/* loaded from: input_file:org/apache/dubbo/rpc/protocol/rest/netty/ssl/SslContexts.class */
public class SslContexts {
    private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger(SslContexts.class);

    public static SslContext buildServerSslContext(ProviderCert providerCert) {
        try {
            try {
                InputStream keyCertChainInputStream = providerCert.getKeyCertChainInputStream();
                InputStream privateKeyInputStream = providerCert.getPrivateKeyInputStream();
                InputStream trustCertInputStream = providerCert.getTrustCertInputStream();
                String password = providerCert.getPassword();
                SslContextBuilder forServer = password != null ? SslContextBuilder.forServer(keyCertChainInputStream, privateKeyInputStream, password) : SslContextBuilder.forServer(keyCertChainInputStream, privateKeyInputStream);
                if (trustCertInputStream != null) {
                    forServer.trustManager(trustCertInputStream);
                    if (providerCert.getAuthPolicy() == AuthPolicy.CLIENT_AUTH) {
                        forServer.clientAuth(ClientAuth.REQUIRE);
                    } else {
                        forServer.clientAuth(ClientAuth.OPTIONAL);
                    }
                }
                safeCloseStream(trustCertInputStream);
                safeCloseStream(keyCertChainInputStream);
                safeCloseStream(privateKeyInputStream);
                try {
                    return forServer.sslProvider(findSslProvider()).build();
                } catch (SSLException e) {
                    throw new IllegalStateException("Build SslSession failed.", e);
                }
            } catch (Exception e2) {
                throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e2);
            }
        } catch (Throwable th) {
            safeCloseStream(null);
            safeCloseStream(null);
            safeCloseStream(null);
            throw th;
        }
    }

    public static SslContext buildClientSslContext(URL url) {
        Cert consumerConnectionConfig = ((CertManager) url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class)).getConsumerConnectionConfig(url);
        if (consumerConnectionConfig == null) {
            return null;
        }
        SslContextBuilder forClient = SslContextBuilder.forClient();
        try {
            try {
                InputStream trustCertInputStream = consumerConnectionConfig.getTrustCertInputStream();
                if (trustCertInputStream != null) {
                    forClient.trustManager(trustCertInputStream);
                }
                InputStream keyCertChainInputStream = consumerConnectionConfig.getKeyCertChainInputStream();
                InputStream privateKeyInputStream = consumerConnectionConfig.getPrivateKeyInputStream();
                if (keyCertChainInputStream != null && privateKeyInputStream != null) {
                    String password = consumerConnectionConfig.getPassword();
                    if (password != null) {
                        forClient.keyManager(keyCertChainInputStream, privateKeyInputStream, password);
                    } else {
                        forClient.keyManager(keyCertChainInputStream, privateKeyInputStream);
                    }
                }
                safeCloseStream(trustCertInputStream);
                safeCloseStream(keyCertChainInputStream);
                safeCloseStream(privateKeyInputStream);
                try {
                    return forClient.sslProvider(findSslProvider()).build();
                } catch (SSLException e) {
                    throw new IllegalStateException("Build SslSession failed.", e);
                }
            } catch (Throwable th) {
                safeCloseStream(null);
                safeCloseStream(null);
                safeCloseStream(null);
                throw th;
            }
        } catch (Exception e2) {
            throw new IllegalArgumentException("Could not find certificate file or find invalid certificate.", e2);
        }
    }

    private static SslProvider findSslProvider() {
        if (OpenSsl.isAvailable()) {
            logger.debug("Using OPENSSL provider.");
            return SslProvider.OPENSSL;
        }
        if (!checkJdkProvider()) {
            throw new IllegalStateException("Could not find any valid TLS provider, please check your dependency or deployment environment, usually netty-tcnative, Conscrypt, or Jetty NPN/ALPN is needed.");
        }
        logger.debug("Using JDK provider.");
        return SslProvider.JDK;
    }

    private static boolean checkJdkProvider() {
        Provider[] providers = Security.getProviders("SSLContext.TLS");
        return providers != null && providers.length > 0;
    }

    private static void safeCloseStream(InputStream inputStream) {
        if (inputStream == null) {
            return;
        }
        try {
            inputStream.close();
        } catch (IOException e) {
            logger.warn("6-13", "", "", "Failed to close a stream.", e);
        }
    }
}
