package org.apache.rocketmq.mqtt.cs.protocol.ssl;

import io.netty.channel.socket.SocketChannel;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.io.InputStream;
import javax.annotation.PostConstruct;
import javax.annotation.Resource;
import javax.net.ssl.SSLEngine;
import org.apache.rocketmq.mqtt.cs.config.ConnectConf;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:org/apache/rocketmq/mqtt/cs/protocol/ssl/SslFactory.class */
public class SslFactory {
    private static final Logger LOG = LoggerFactory.getLogger(SslFactory.class);
    private static final String CERT_FILE_NAME = "mqtt.crt";
    private static final String KEY_FILE_NAME = "mqtt.key";

    @Resource
    private ConnectConf connectConf;
    private SslContext sslContext;

    @PostConstruct
    private void initSslContext() {
        if (this.connectConf.isEnableTlsSever()) {
            try {
                InputStream inputStream = new ClassPathResource(CERT_FILE_NAME).getInputStream();
                SslContextBuilder forServer = SslContextBuilder.forServer(inputStream, new ClassPathResource(KEY_FILE_NAME).getInputStream());
                forServer.clientAuth(ClientAuth.OPTIONAL);
                forServer.sslProvider(OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK);
                if (this.connectConf.isNeedClientAuth()) {
                    LOG.info("client tls authentication is required.");
                    forServer.clientAuth(ClientAuth.REQUIRE);
                    forServer.trustManager(inputStream);
                }
                this.sslContext = forServer.build();
            } catch (IOException e) {
                throw new RuntimeException("failed to initialize ssl context.", e);
            }
        }
    }

    public SSLEngine buildSslEngine(SocketChannel socketChannel) {
        SSLEngine newEngine = this.sslContext.newEngine(socketChannel.alloc());
        newEngine.setEnabledCipherSuites(newEngine.getSupportedCipherSuites());
        newEngine.setUseClientMode(false);
        newEngine.setNeedClientAuth(this.connectConf.isNeedClientAuth());
        return newEngine;
    }
}
