package org.apache.kafka.common.security.ssl;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.ReferenceCountedOpenSslEngine;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.internal.logging.InternalLoggerFactory;
import io.netty.util.internal.logging.Log4JLoggerFactory;
import java.io.Closeable;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.auth.SslEngineFactory;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/NettySslEngineFactory.class */
public class NettySslEngineFactory extends DefaultSslEngineFactory implements SslEngineFactory, CloseableSslEngineFactory {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) NettySslEngineFactory.class);
    private SslContext nettySslContext;
    private boolean configured = false;

    /* loaded from: input_file:org/apache/kafka/common/security/ssl/NettySslEngineFactory$CloseableSslEngine.class */
    class CloseableSslEngine implements Closeable {
        private final SSLEngine engine;

        CloseableSslEngine(SSLEngine sSLEngine) {
            this.engine = sSLEngine;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            if (this.engine instanceof ReferenceCountedOpenSslEngine) {
                ((ReferenceCountedOpenSslEngine) this.engine).release();
            }
        }
    }

    @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory, org.apache.kafka.common.security.auth.SslEngineFactory
    public SSLEngine createServerSslEngine(String str, int i) {
        if (!this.configured) {
            throw new RuntimeException("Cannot create SSLEngine since this factory has not yet been configured");
        }
        if (this.nettySslContext == null) {
            throw new RuntimeException("Cannot create SSLEngine since this factory could not be configured");
        }
        return this.nettySslContext.newEngine(ByteBufAllocator.DEFAULT, str, i);
    }

    @Override // org.apache.kafka.common.security.ssl.DefaultSslEngineFactory, org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        super.configure(map);
        if (OpenSsl.isAvailable()) {
            this.nettySslContext = createNettySslServerContext();
        } else {
            this.nettySslContext = null;
        }
        this.configured = true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isConfigurable(Map<String, ?> map, Mode mode) {
        if (mode != Mode.SERVER) {
            log.warn("Cannot configure Netty because the SSL mode is {} instead of {}", mode, Mode.SERVER);
            return false;
        }
        if (!map.containsKey("ssl.keystore.type") || !map.containsKey("ssl.keystore.location") || !map.containsKey("ssl.keystore.password")) {
            log.warn("Cannot configure Netty because keystore is not configured.");
            return false;
        }
        if (OpenSsl.isAvailable()) {
            return true;
        }
        log.warn("Cannot configure Netty because no OpenSSL is available.");
        return false;
    }

    @Override // org.apache.kafka.common.security.ssl.CloseableSslEngineFactory
    public Closeable sslEngineCloser(SSLEngine sSLEngine) {
        return new CloseableSslEngine(sSLEngine);
    }

    DefaultSslEngineFactory.PrivateKeyData loadPrivateKeyData() {
        DefaultSslEngineFactory.SecurityStore securityKeyStore = securityKeyStore();
        KeyStore load = securityKeyStore.load();
        KeyStore.PasswordProtection passwordProtection = securityKeyStore.keyPassword() == null ? null : new KeyStore.PasswordProtection(securityKeyStore.keyPassword().value().toCharArray());
        try {
            Enumeration<String> aliases = load.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (load.isKeyEntry(nextElement)) {
                    try {
                        KeyStore.Entry entry = load.getEntry(nextElement, passwordProtection);
                        if (entry instanceof KeyStore.PrivateKeyEntry) {
                            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                            PrivateKey privateKey = privateKeyEntry.getPrivateKey();
                            Certificate[] certificateChain = privateKeyEntry.getCertificateChain();
                            if (certificateChain instanceof X509Certificate[]) {
                                return new DefaultSslEngineFactory.PrivateKeyData(privateKey, (X509Certificate[]) certificateChain);
                            }
                            throw new RuntimeException("Expected a certificate chain of type X509Certificate for alias " + nextElement);
                        }
                    } catch (NoSuchAlgorithmException e) {
                        log.info("can't find the algorithm for recovering the {} entry.", nextElement);
                    } catch (UnrecoverableEntryException e2) {
                        log.trace("ignoring alias {}, since the password doesn't match.", nextElement);
                    }
                }
            }
            throw new RuntimeException("No private key found protected with the given password in " + securityKeyStore.path());
        } catch (KeyStoreException e3) {
            throw new KafkaException(e3);
        }
    }

    X509Certificate[] loadAllCertificates() {
        KeyStore load = securityTrustStore().load();
        ArrayList arrayList = new ArrayList();
        try {
            Enumeration<String> aliases = load.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (load.isCertificateEntry(nextElement)) {
                    Certificate certificate = load.getCertificate(nextElement);
                    if (!(certificate instanceof X509Certificate)) {
                        throw new RuntimeException("Expected a certificate of type X509Certificate for alias " + nextElement);
                    }
                    arrayList.add((X509Certificate) certificate);
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
        } catch (KeyStoreException e) {
            throw new KafkaException(e);
        }
    }

    private SslContext createNettySslServerContext() {
        try {
            if (keystore() == null) {
                throw new KafkaException("When using Netty in server mode, a keystore must be configured.");
            }
            DefaultSslEngineFactory.PrivateKeyData loadPrivateKeyData = loadPrivateKeyData();
            SslContextBuilder trustManager = SslContextBuilder.forServer(loadPrivateKeyData.key(), loadPrivateKeyData.certificateChain()).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sslProvider(SslProvider.OPENSSL_REFCNT).trustManager(truststore() == null ? null : loadAllCertificates());
            if (enabledProtocols() != null) {
                trustManager.protocols(enabledProtocols());
            }
            if (cipherSuites() != null) {
                trustManager.ciphers(Arrays.asList(cipherSuites()));
            }
            switch (sslClientAuth()) {
                case NONE:
                    trustManager.clientAuth(ClientAuth.NONE);
                    break;
                case REQUIRED:
                    trustManager.clientAuth(ClientAuth.REQUIRE);
                    break;
                case REQUESTED:
                    trustManager.clientAuth(ClientAuth.OPTIONAL);
                    break;
            }
            log.info("Netty is enabled for SSL context with keystore {}, truststore {}.", keystore(), truststore());
            return trustManager.build();
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    static {
        InternalLoggerFactory.setDefaultFactory(Log4JLoggerFactory.INSTANCE);
        System.setProperty("io.netty.handler.ssl.openssl.useTasks", "false");
    }
}
