package org.apache.pulsar.common.util;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
import java.util.Set;
import java.util.concurrent.ScheduledExecutorService;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.common.classification.InterfaceAudience;
import org.apache.pulsar.common.tls.TlsHostnameVerifier;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-common-2.10.0.2.jar:org/apache/pulsar/common/util/SecurityUtility.class */
public class SecurityUtility {
    public static final String BC_FIPS_PROVIDER_CLASS = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
    public static final String BC_NON_FIPS_PROVIDER_CLASS = "org.bouncycastle.jce.provider.BouncyCastleProvider";
    public static final String CONSCRYPT_PROVIDER_CLASS = "org.conscrypt.OpenSSLProvider";
    public static final String BC_FIPS = "BCFIPS";
    public static final String BC = "BC";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SecurityUtility.class);
    public static final Provider BC_PROVIDER = getProvider();
    public static final Provider CONSCRYPT_PROVIDER = loadConscryptProvider();

    /* loaded from: input_file:META-INF/bundled-dependencies/pulsar-common-2.10.0.2.jar:org/apache/pulsar/common/util/SecurityUtility$SslContextFactoryWithAutoRefresh.class */
    static class SslContextFactoryWithAutoRefresh extends SslContextFactory {
        private final DefaultSslContextBuilder sslCtxRefresher;

        public SslContextFactoryWithAutoRefresh(boolean z, String str, String str2, String str3, boolean z2, long j) throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
            this.sslCtxRefresher = new DefaultSslContextBuilder(z, str, str2, str3, z2, j);
            if (SecurityUtility.CONSCRYPT_PROVIDER != null) {
                setProvider(SecurityUtility.CONSCRYPT_PROVIDER.getName());
            }
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public SSLContext getSslContext() {
            return this.sslCtxRefresher.get();
        }
    }

    public static boolean isBCFIPS() {
        return BC_PROVIDER.getClass().getCanonicalName().equals(BC_FIPS_PROVIDER_CLASS);
    }

    public static Provider getProvider() {
        if ((Security.getProvider("BC") == null && Security.getProvider(BC_FIPS) == null) ? false : true) {
            Provider provider = Security.getProvider("BC") != null ? Security.getProvider("BC") : Security.getProvider(BC_FIPS);
            if (log.isDebugEnabled()) {
                log.debug("Already instantiated Bouncy Castle provider {}", provider.getName());
            }
            return provider;
        }
        try {
            return getBCProviderFromClassPath();
        } catch (Exception e) {
            log.warn("Not able to get Bouncy Castle provider for both FIPS and Non-FIPS from class path:", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    private static Provider loadConscryptProvider() {
        try {
            Class<?> cls = Class.forName("org.conscrypt.Conscrypt");
            cls.getMethod("checkAvailability", new Class[0]).invoke(null, new Object[0]);
            try {
                Provider provider = (Provider) Class.forName(CONSCRYPT_PROVIDER_CLASS).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                try {
                    cls.getMethod("setDefaultHostnameVerifier", Class.forName("org.conscrypt.ConscryptHostnameVerifier")).invoke(null, cls.getMethod("wrapHostnameVerifier", HostnameVerifier.class).invoke(null, new TlsHostnameVerifier()));
                } catch (Exception e) {
                    log.warn("Unable to set default hostname verifier for Conscrypt", (Throwable) e);
                }
                Security.addProvider(provider);
                if (log.isDebugEnabled()) {
                    log.debug("Added security provider '{}' from class {}", provider.getName(), CONSCRYPT_PROVIDER_CLASS);
                }
                return provider;
            } catch (ReflectiveOperationException e2) {
                log.warn("Unable to get security provider for class {}", CONSCRYPT_PROVIDER_CLASS, e2);
                return null;
            }
        } catch (Throwable th) {
            log.warn("Conscrypt isn't available. Using JDK default security provider.", th);
            return null;
        }
    }

    public static Provider getBCProviderFromClassPath() throws Exception {
        Class<?> cls;
        try {
            cls = Class.forName(BC_NON_FIPS_PROVIDER_CLASS);
        } catch (ClassNotFoundException e) {
            log.warn("Not able to get Bouncy Castle provider: {}, try to get FIPS provider {}", BC_NON_FIPS_PROVIDER_CLASS, BC_FIPS_PROVIDER_CLASS);
            cls = Class.forName(BC_FIPS_PROVIDER_CLASS);
        }
        Provider provider = (Provider) cls.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
        Security.addProvider(provider);
        if (log.isDebugEnabled()) {
            log.debug("Found and Instantiated Bouncy Castle provider in classpath {}", provider.getName());
        }
        return provider;
    }

    public static SSLContext createSslContext(boolean z, Certificate[] certificateArr) throws GeneralSecurityException {
        return createSslContext(z, certificateArr, (Certificate[]) null, (PrivateKey) null);
    }

    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean z, String str, Set<String> set, Set<String> set2) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        return createNettySslContextForClient(sslProvider, z, str, (Certificate[]) null, (PrivateKey) null, set, set2);
    }

    public static SSLContext createSslContext(boolean z, String str, String str2, String str3) throws GeneralSecurityException {
        return createSslContext(z, loadCertificatesFromPemFile(str), loadCertificatesFromPemFile(str2), loadPrivateKeyFromPemFile(str3));
    }

    public static SslContext createAutoRefreshSslContextForClient(SslProvider sslProvider, boolean z, String str, String str2, String str3, String str4, int i, ScheduledExecutorService scheduledExecutorService) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        KeyManagerProxy keyManagerProxy = new KeyManagerProxy(str2, str3, i, scheduledExecutorService);
        SslContextBuilder sslProvider2 = SslContextBuilder.forClient().sslProvider(sslProvider);
        sslProvider2.keyManager(keyManagerProxy);
        if (z) {
            sslProvider2.trustManager(InsecureTrustManagerFactory.INSTANCE);
        } else {
            sslProvider2.trustManager(new TrustManagerProxy(str, i, scheduledExecutorService));
        }
        return sslProvider2.build();
    }

    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean z, String str, String str2, String str3, Set<String> set, Set<String> set2) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        return createNettySslContextForClient(sslProvider, z, str, loadCertificatesFromPemFile(str2), loadPrivateKeyFromPemFile(str3), set, set2);
    }

    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean z, String str, Certificate[] certificateArr, PrivateKey privateKey, Set<String> set, Set<String> set2) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        if (!StringUtils.isNotBlank(str)) {
            return createNettySslContextForClient(sslProvider, z, (InputStream) null, certificateArr, privateKey, set, set2);
        }
        FileInputStream fileInputStream = new FileInputStream(str);
        Throwable th = null;
        try {
            try {
                SslContext createNettySslContextForClient = createNettySslContextForClient(sslProvider, z, fileInputStream, certificateArr, privateKey, set, set2);
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return createNettySslContextForClient;
            } finally {
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (th != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean z, InputStream inputStream, Certificate[] certificateArr, PrivateKey privateKey, Set<String> set, Set<String> set2) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forClient().sslProvider(sslProvider);
        setupTrustCerts(sslProvider2, z, inputStream);
        setupKeyManager(sslProvider2, privateKey, (X509Certificate[]) certificateArr);
        setupCiphers(sslProvider2, set);
        setupProtocols(sslProvider2, set2);
        return sslProvider2.build();
    }

    public static SslContext createNettySslContextForServer(SslProvider sslProvider, boolean z, String str, String str2, String str3, Set<String> set, Set<String> set2, boolean z2) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        X509Certificate[] loadCertificatesFromPemFile = loadCertificatesFromPemFile(str2);
        PrivateKey loadPrivateKeyFromPemFile = loadPrivateKeyFromPemFile(str3);
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(loadPrivateKeyFromPemFile, loadCertificatesFromPemFile).sslProvider(sslProvider);
        setupCiphers(sslProvider2, set);
        setupProtocols(sslProvider2, set2);
        if (StringUtils.isNotBlank(str)) {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    setupTrustCerts(sslProvider2, z, fileInputStream);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (th != null) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        } else {
            setupTrustCerts(sslProvider2, z, null);
        }
        setupKeyManager(sslProvider2, loadPrivateKeyFromPemFile, loadCertificatesFromPemFile);
        setupClientAuthentication(sslProvider2, z2);
        return sslProvider2.build();
    }

    public static SSLContext createSslContext(boolean z, Certificate[] certificateArr, Certificate[] certificateArr2, PrivateKey privateKey) throws GeneralSecurityException {
        KeyStoreHolder keyStoreHolder = new KeyStoreHolder();
        TrustManager[] trustManagerArr = setupTrustCerts(keyStoreHolder, z, certificateArr, CONSCRYPT_PROVIDER);
        KeyManager[] keyManagerArr = setupKeyManager(keyStoreHolder, privateKey, certificateArr2);
        SSLContext sSLContext = CONSCRYPT_PROVIDER != null ? SSLContext.getInstance(KeyStoreSSLContext.DEFAULT_SSL_PROTOCOL, CONSCRYPT_PROVIDER) : SSLContext.getInstance(KeyStoreSSLContext.DEFAULT_SSL_PROTOCOL);
        sSLContext.init(keyManagerArr, trustManagerArr, new SecureRandom());
        sSLContext.getDefaultSSLParameters();
        return sSLContext;
    }

    private static KeyManager[] setupKeyManager(KeyStoreHolder keyStoreHolder, PrivateKey privateKey, Certificate[] certificateArr) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        KeyManager[] keyManagerArr = null;
        if (certificateArr != null && privateKey != null) {
            keyStoreHolder.setPrivateKey("private", privateKey, certificateArr);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStoreHolder.getKeyStore(), "".toCharArray());
            keyManagerArr = keyManagerFactory.getKeyManagers();
        }
        return keyManagerArr;
    }

    private static TrustManager[] setupTrustCerts(KeyStoreHolder keyStoreHolder, boolean z, Certificate[] certificateArr, Provider provider) throws NoSuchAlgorithmException, KeyStoreException {
        TrustManager[] trustManagers;
        if (z) {
            trustManagers = InsecureTrustManagerFactory.INSTANCE.getTrustManagers();
        } else {
            TrustManagerFactory trustManagerFactory = provider != null ? TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(), provider) : TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            if (certificateArr == null || certificateArr.length == 0) {
                trustManagerFactory.init((KeyStore) null);
            } else {
                for (int i = 0; i < certificateArr.length; i++) {
                    keyStoreHolder.setCertificate("trust" + i, certificateArr[i]);
                }
                trustManagerFactory.init(keyStoreHolder.getKeyStore());
            }
            trustManagers = trustManagerFactory.getTrustManagers();
            for (TrustManager trustManager : trustManagers) {
                processConscryptTrustManager(trustManager);
            }
        }
        return trustManagers;
    }

    @InterfaceAudience.Private
    public static TrustManager[] processConscryptTrustManagers(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            processConscryptTrustManager(trustManager);
        }
        return trustManagerArr;
    }

    private static void processConscryptTrustManager(TrustManager trustManager) {
        Object invoke;
        if (trustManager.getClass().getName().equals("org.conscrypt.TrustManagerImpl")) {
            try {
                Class<?> cls = Class.forName("org.conscrypt.Conscrypt");
                if (cls.getMethod("getHostnameVerifier", TrustManager.class).invoke(null, trustManager) == null && (invoke = cls.getMethod("getDefaultHostnameVerifier", TrustManager.class).invoke(null, trustManager)) != null) {
                    cls.getMethod("setHostnameVerifier", TrustManager.class, Class.forName("org.conscrypt.ConscryptHostnameVerifier")).invoke(null, trustManager, invoke);
                }
            } catch (ReflectiveOperationException e) {
                log.warn("Unable to set hostname verifier for Conscrypt TrustManager implementation", (Throwable) e);
            }
        }
    }

    public static X509Certificate[] loadCertificatesFromPemFile(String str) throws KeyManagementException {
        if (str == null || str.isEmpty()) {
            return null;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    X509Certificate[] loadCertificatesFromPemStream = loadCertificatesFromPemStream(fileInputStream);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return loadCertificatesFromPemStream;
                } finally {
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new KeyManagementException("Certificate loading error", e);
        }
    }

    public static X509Certificate[] loadCertificatesFromPemStream(InputStream inputStream) throws KeyManagementException {
        if (inputStream == null) {
            return null;
        }
        try {
            if (inputStream.markSupported()) {
                inputStream.reset();
            }
            Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(inputStream);
            return (X509Certificate[]) generateCertificates.toArray(new X509Certificate[generateCertificates.size()]);
        } catch (IOException | CertificateException e) {
            throw new KeyManagementException("Certificate loading error", e);
        }
    }

    public static PrivateKey loadPrivateKeyFromPemFile(String str) throws KeyManagementException {
        if (str == null || str.isEmpty()) {
            return null;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    PrivateKey loadPrivateKeyFromPemStream = loadPrivateKeyFromPemStream(fileInputStream);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return loadPrivateKeyFromPemStream;
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new KeyManagementException("Private key loading error", e);
        }
    }

    public static PrivateKey loadPrivateKeyFromPemStream(InputStream inputStream) throws KeyManagementException {
        if (inputStream == null) {
            return null;
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                try {
                    if (inputStream.markSupported()) {
                        inputStream.reset();
                    }
                    StringBuilder sb = new StringBuilder();
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null || readLine.startsWith("-----BEGIN")) {
                            break;
                        }
                        bufferedReader.readLine();
                    }
                    while (true) {
                        String readLine2 = bufferedReader.readLine();
                        if (readLine2 == null || readLine2.startsWith("-----END")) {
                            break;
                        }
                        sb.append(readLine2);
                    }
                    PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())));
                    if (bufferedReader != null) {
                        if (0 != 0) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    return generatePrivate;
                } finally {
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new KeyManagementException("Private key loading error", e);
        }
    }

    private static void setupTrustCerts(SslContextBuilder sslContextBuilder, boolean z, InputStream inputStream) throws IOException, FileNotFoundException {
        if (z) {
            sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
        } else if (inputStream != null) {
            sslContextBuilder.trustManager(inputStream);
        } else {
            sslContextBuilder.trustManager((File) null);
        }
    }

    private static void setupKeyManager(SslContextBuilder sslContextBuilder, PrivateKey privateKey, X509Certificate[] x509CertificateArr) {
        sslContextBuilder.keyManager(privateKey, x509CertificateArr);
    }

    private static void setupCiphers(SslContextBuilder sslContextBuilder, Set<String> set) {
        if (set == null || set.size() <= 0) {
            return;
        }
        sslContextBuilder.ciphers(set);
    }

    private static void setupProtocols(SslContextBuilder sslContextBuilder, Set<String> set) {
        if (set == null || set.size() <= 0) {
            return;
        }
        sslContextBuilder.protocols((String[]) set.toArray(new String[set.size()]));
    }

    private static void setupClientAuthentication(SslContextBuilder sslContextBuilder, boolean z) {
        if (z) {
            sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
        } else {
            sslContextBuilder.clientAuth(ClientAuth.OPTIONAL);
        }
    }

    public static SslContextFactory createSslContextFactory(boolean z, String str, String str2, String str3, boolean z2, boolean z3, long j) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
        SslContextFactory sslContextFactory;
        if (z3) {
            sslContextFactory = new SslContextFactoryWithAutoRefresh(z, str, str2, str3, z2, 0L);
        } else {
            sslContextFactory = new SslContextFactory();
            sslContextFactory.setSslContext(createSslContext(z, str, str2, str3));
        }
        if (z2) {
            sslContextFactory.setNeedClientAuth(true);
        } else {
            sslContextFactory.setWantClientAuth(true);
        }
        sslContextFactory.setTrustAll(true);
        return sslContextFactory;
    }
}
