package org.apache.rocketmq.proxy.remoting;

import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.cert.CertificateException;
import org.apache.commons.lang3.StringUtils;
import org.apache.rocketmq.logging.org.slf4j.Logger;
import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
import org.apache.rocketmq.remoting.netty.TlsHelper;
import org.apache.rocketmq.remoting.netty.TlsSystemConfig;

/* loaded from: input_file:org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.class */
public class MultiProtocolTlsHelper extends TlsHelper {
    private static final Logger log = LoggerFactory.getLogger("RocketmqProxy");
    private static final TlsHelper.DecryptionStrategy DECRYPTION_STRATEGY = (str, z) -> {
        return new FileInputStream(str);
    };

    public static SslContext buildSslContext() throws IOException, CertificateException {
        SslProvider sslProvider;
        SslContextBuilder sslProvider2;
        TlsHelper.buildSslContext(false);
        if (OpenSsl.isAvailable()) {
            sslProvider = SslProvider.OPENSSL;
            log.info("Using OpenSSL provider");
        } else {
            sslProvider = SslProvider.JDK;
            log.info("Using JDK SSL provider");
        }
        if (TlsSystemConfig.tlsTestModeEnable) {
            SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
            sslProvider2 = SslContextBuilder.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey()).sslProvider(SslProvider.OPENSSL).clientAuth(ClientAuth.OPTIONAL);
        } else {
            sslProvider2 = SslContextBuilder.forServer(!StringUtils.isBlank(TlsSystemConfig.tlsServerCertPath) ? Files.newInputStream(Paths.get(TlsSystemConfig.tlsServerCertPath, new String[0]), new OpenOption[0]) : null, !StringUtils.isBlank(TlsSystemConfig.tlsServerKeyPath) ? DECRYPTION_STRATEGY.decryptPrivateKey(TlsSystemConfig.tlsServerKeyPath, false) : null, !StringUtils.isBlank(TlsSystemConfig.tlsServerKeyPassword) ? TlsSystemConfig.tlsServerKeyPassword : null).sslProvider(sslProvider);
            if (!TlsSystemConfig.tlsServerAuthClient) {
                sslProvider2.trustManager(InsecureTrustManagerFactory.INSTANCE);
            } else if (!StringUtils.isBlank(TlsSystemConfig.tlsServerTrustCertPath)) {
                sslProvider2.trustManager(new File(TlsSystemConfig.tlsServerTrustCertPath));
            }
            sslProvider2.clientAuth(parseClientAuthMode(TlsSystemConfig.tlsServerNeedClientAuth));
        }
        sslProvider2.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, new String[]{"h2"}));
        return sslProvider2.build();
    }

    private static ClientAuth parseClientAuthMode(String str) {
        if (null == str || str.trim().isEmpty()) {
            return ClientAuth.NONE;
        }
        for (ClientAuth clientAuth : ClientAuth.values()) {
            if (clientAuth.name().equals(str.toUpperCase())) {
                return clientAuth;
            }
        }
        return ClientAuth.NONE;
    }
}
