package org.apache.pulsar.jetcd.shaded.io.vertx.core.net.impl;

import io.grpc.netty.shaded.io.netty.handler.ssl.OpenSsl;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
import java.io.ByteArrayInputStream;
import java.security.cert.CRL;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumMap;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.Future;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.Promise;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.VertxException;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.buffer.Buffer;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.file.FileSystem;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.http.ClientAuth;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.impl.ContextInternal;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.ClientOptionsBase;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.JdkSSLEngineOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.KeyCertOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.NetClientOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.NetServerOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.OpenSSLEngineOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.SSLEngineOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.SSLOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.TCPSSLOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.net.TrustOptions;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.spi.tls.DefaultSslContextFactory;
import org.apache.pulsar.jetcd.shaded.io.vertx.core.spi.tls.SslContextFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/jetcd-core-shaded-3.3.5.2.jar:org/apache/pulsar/jetcd/shaded/io/vertx/core/net/impl/SSLHelper.class */
public class SSLHelper {
    private static final AtomicLong seq = new AtomicLong();
    static final EnumMap<ClientAuth, io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth> CLIENT_AUTH_MAPPING = new EnumMap<>(ClientAuth.class);
    private final boolean ssl;
    private final boolean sni;
    private final boolean trustAll;
    private final ClientAuth clientAuth;
    private final boolean client;
    private final boolean useAlpn;
    private final String endpointIdentificationAlgorithm;
    private final SSLEngineOptions sslEngineOptions;
    private final List<String> applicationProtocols;
    private KeyManagerFactory keyManagerFactory;
    private TrustManagerFactory trustManagerFactory;
    private Function<String, KeyManagerFactory> keyManagerFactoryMapper;
    private Function<String, TrustManager[]> trustManagerMapper;
    private List<CRL> crls;
    private Future<CachedProvider> cachedProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/bundled-dependencies/jetcd-core-shaded-3.3.5.2.jar:org/apache/pulsar/jetcd/shaded/io/vertx/core/net/impl/SSLHelper$CachedProvider.class */
    public static class CachedProvider {
        final SSLOptions options;
        final long id;
        final SslChannelProvider sslChannelProvider;
        final Throwable failure;

        CachedProvider(SSLOptions sSLOptions, long j, SslChannelProvider sslChannelProvider, Throwable th) {
            this.options = sSLOptions;
            this.id = j;
            this.sslChannelProvider = sslChannelProvider;
            this.failure = th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/bundled-dependencies/jetcd-core-shaded-3.3.5.2.jar:org/apache/pulsar/jetcd/shaded/io/vertx/core/net/impl/SSLHelper$EngineConfig.class */
    public class EngineConfig {
        private final SSLOptions sslOptions;
        private final Supplier<SslContextFactory> supplier;
        private final boolean useWorkerPool;

        public EngineConfig(SSLOptions sSLOptions, Supplier<SslContextFactory> supplier, boolean z) {
            this.sslOptions = sSLOptions;
            this.supplier = supplier;
            this.useWorkerPool = z;
        }

        SslContextProvider sslContextProvider() {
            return new SslContextProvider(SSLHelper.this.clientAuth, SSLHelper.this.endpointIdentificationAlgorithm, SSLHelper.this.applicationProtocols, this.sslOptions.getEnabledCipherSuites(), this.sslOptions.getEnabledSecureTransportProtocols(), SSLHelper.this.keyManagerFactory, SSLHelper.this.keyManagerFactoryMapper, SSLHelper.this.trustManagerFactory, SSLHelper.this.trustManagerMapper, SSLHelper.this.crls, this.supplier);
        }
    }

    public static SSLEngineOptions resolveEngineOptions(SSLEngineOptions sSLEngineOptions, boolean z) {
        if (sSLEngineOptions == null && z) {
            if (JdkSSLEngineOptions.isAlpnAvailable()) {
                sSLEngineOptions = new JdkSSLEngineOptions();
            } else if (OpenSSLEngineOptions.isAlpnAvailable()) {
                sSLEngineOptions = new OpenSSLEngineOptions();
            }
        }
        if (sSLEngineOptions == null) {
            sSLEngineOptions = new JdkSSLEngineOptions();
        } else if ((sSLEngineOptions instanceof OpenSSLEngineOptions) && !OpenSsl.isAvailable()) {
            VertxException vertxException = new VertxException("OpenSSL is not available");
            Throwable unavailabilityCause = OpenSsl.unavailabilityCause();
            if (unavailabilityCause != null) {
                vertxException.initCause(unavailabilityCause);
            }
            throw vertxException;
        }
        if (z) {
            if ((sSLEngineOptions instanceof JdkSSLEngineOptions) && !JdkSSLEngineOptions.isAlpnAvailable()) {
                throw new VertxException("ALPN not available for JDK SSL/TLS engine");
            }
            if ((sSLEngineOptions instanceof OpenSSLEngineOptions) && !OpenSSLEngineOptions.isAlpnAvailable()) {
                throw new VertxException("ALPN is not available for OpenSSL SSL/TLS engine");
            }
        }
        return sSLEngineOptions;
    }

    public SSLHelper(TCPSSLOptions tCPSSLOptions, List<String> list) {
        this.sslEngineOptions = tCPSSLOptions.getSslEngineOptions();
        this.ssl = tCPSSLOptions.isSsl();
        this.useAlpn = tCPSSLOptions.isUseAlpn();
        this.client = tCPSSLOptions instanceof ClientOptionsBase;
        this.trustAll = (tCPSSLOptions instanceof ClientOptionsBase) && ((ClientOptionsBase) tCPSSLOptions).isTrustAll();
        this.clientAuth = tCPSSLOptions instanceof NetServerOptions ? ((NetServerOptions) tCPSSLOptions).getClientAuth() : ClientAuth.NONE;
        this.endpointIdentificationAlgorithm = tCPSSLOptions instanceof NetClientOptions ? ((NetClientOptions) tCPSSLOptions).getHostnameVerificationAlgorithm() : "";
        this.sni = (tCPSSLOptions instanceof NetServerOptions) && ((NetServerOptions) tCPSSLOptions).isSni();
        this.applicationProtocols = list;
    }

    public synchronized int sniEntrySize() {
        CachedProvider result = this.cachedProvider.result();
        if (result != null) {
            return result.sslChannelProvider.sniEntrySize();
        }
        return 0;
    }

    public Future<SslContextUpdate> updateSslContext(SSLOptions sSLOptions, boolean z, ContextInternal contextInternal) {
        Future map;
        long andIncrement = seq.getAndIncrement();
        synchronized (this) {
            if (this.cachedProvider == null) {
                this.cachedProvider = buildChannelProvider(sSLOptions, contextInternal).map(sslChannelProvider -> {
                    return new CachedProvider(sSLOptions, andIncrement, sslChannelProvider, null);
                });
            } else {
                this.cachedProvider = this.cachedProvider.transform(asyncResult -> {
                    return (!z && asyncResult.succeeded() && ((CachedProvider) asyncResult.result()).options.equals(sSLOptions)) ? Future.succeededFuture(asyncResult.result()) : buildChannelProvider(sSLOptions, contextInternal).transform(asyncResult -> {
                        return asyncResult.succeeded() ? contextInternal.succeededFuture(new CachedProvider(sSLOptions, andIncrement, (SslChannelProvider) asyncResult.result(), null)) : asyncResult.succeeded() ? contextInternal.succeededFuture(new CachedProvider(((CachedProvider) asyncResult.result()).options, ((CachedProvider) asyncResult.result()).id, ((CachedProvider) asyncResult.result()).sslChannelProvider, asyncResult.cause())) : contextInternal.failedFuture(asyncResult.cause());
                    });
                });
            }
            map = this.cachedProvider.map(cachedProvider -> {
                return new SslContextUpdate(cachedProvider.sslChannelProvider, cachedProvider.id == andIncrement, cachedProvider.failure);
            });
        }
        return map;
    }

    public Future<SslContextProvider> buildContextProvider(SSLOptions sSLOptions, ContextInternal contextInternal) {
        return build(new SSLOptions(sSLOptions), contextInternal).map((v0) -> {
            return v0.sslContextProvider();
        });
    }

    public Future<SslChannelProvider> buildChannelProvider(SSLOptions sSLOptions, ContextInternal contextInternal) {
        return build(new SSLOptions(sSLOptions), contextInternal).map(engineConfig -> {
            return new SslChannelProvider(engineConfig.sslContextProvider(), engineConfig.sslOptions.getSslHandshakeTimeout(), engineConfig.sslOptions.getSslHandshakeTimeoutUnit(), this.sni, this.trustAll, this.useAlpn, contextInternal.owner().getInternalWorkerPool().executor(), engineConfig.useWorkerPool);
        });
    }

    private Future<EngineConfig> build(SSLOptions sSLOptions, ContextInternal contextInternal) {
        Future<EngineConfig> future;
        KeyCertOptions keyCertOptions = sSLOptions.getKeyCertOptions();
        TrustOptions trustOptions = sSLOptions.getTrustOptions();
        if (keyCertOptions != null || trustOptions != null || this.trustAll || this.ssl) {
            Promise promise = Promise.promise();
            future = promise.future();
            contextInternal.executeBlockingInternal(promise2 -> {
                try {
                    if (sSLOptions.getKeyCertOptions() != null) {
                        this.keyManagerFactory = sSLOptions.getKeyCertOptions().getKeyManagerFactory(contextInternal.owner());
                        this.keyManagerFactoryMapper = sSLOptions.getKeyCertOptions().keyManagerFactoryMapper(contextInternal.owner());
                    }
                    if (sSLOptions.getTrustOptions() != null) {
                        this.trustManagerFactory = sSLOptions.getTrustOptions().getTrustManagerFactory(contextInternal.owner());
                        this.trustManagerMapper = sSLOptions.getTrustOptions().trustManagerMapper(contextInternal.owner());
                    }
                    this.crls = new ArrayList();
                    ArrayList arrayList = new ArrayList();
                    if (sSLOptions.getCrlPaths() != null) {
                        Stream<R> map = sSLOptions.getCrlPaths().stream().map(str -> {
                            return contextInternal.owner().resolveFile(str).getAbsolutePath();
                        });
                        FileSystem fileSystem = contextInternal.owner().fileSystem();
                        fileSystem.getClass();
                        arrayList.addAll((Collection) map.map(fileSystem::readFileBlocking).collect(Collectors.toList()));
                    }
                    if (sSLOptions.getCrlValues() != null) {
                        arrayList.addAll(sSLOptions.getCrlValues());
                    }
                    CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        this.crls.addAll(certificateFactory.generateCRLs(new ByteArrayInputStream(((Buffer) it.next()).getBytes())));
                    }
                    if (this.client || sSLOptions.getKeyCertOptions() != null) {
                        promise2.complete();
                    } else {
                        promise2.fail("Key/certificate is mandatory for SSL");
                    }
                } catch (Exception e) {
                    promise2.fail(e);
                }
            }).compose(r7 -> {
                return contextInternal.executeBlockingInternal(promise3 -> {
                    try {
                        SSLEngineOptions resolveEngineOptions = resolveEngineOptions(this.sslEngineOptions, this.useAlpn);
                        resolveEngineOptions.getClass();
                        promise3.complete(new EngineConfig(sSLOptions, resolveEngineOptions::sslContextFactory, resolveEngineOptions.getUseWorkerThread()));
                    } catch (Exception e) {
                        promise3.fail(e);
                    }
                });
            }).onComplete2(promise);
        } else {
            future = Future.succeededFuture(new EngineConfig(sSLOptions, () -> {
                return new DefaultSslContextFactory(SslProvider.JDK, false);
            }, false));
        }
        return future;
    }

    static {
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth>) ClientAuth.REQUIRED, (ClientAuth) io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth.REQUIRE);
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth>) ClientAuth.REQUEST, (ClientAuth) io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth.OPTIONAL);
        CLIENT_AUTH_MAPPING.put((EnumMap<ClientAuth, io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth>) ClientAuth.NONE, (ClientAuth) io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth.NONE);
    }
}
