package com.hivemq.security.ssl;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.hivemq.bootstrap.ioc.lazysingleton.LazySingleton;
import com.hivemq.configuration.service.entity.Listener;
import com.hivemq.configuration.service.entity.Tls;
import com.hivemq.exceptions.UnrecoverableException;
import com.hivemq.extension.sdk.api.annotations.NotNull;
import com.hivemq.security.exception.SslException;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.channel.Channel;
import io.netty.handler.ssl.OpenSslServerContext;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@LazySingleton
/* loaded from: input_file:com/hivemq/security/ssl/SslFactory.class */
public class SslFactory {

    @NotNull
    private final SslContextStore sslContextStore;

    @NotNull
    private final SslContextFactory sslContextFactory;
    private static final Logger log = LoggerFactory.getLogger(SslFactory.class);

    @Inject
    public SslFactory(@NotNull SslContextStore sslContextStore, @NotNull SslContextFactory sslContextFactory) {
        this.sslContextStore = sslContextStore;
        this.sslContextFactory = sslContextFactory;
    }

    @NotNull
    public SslHandler getSslHandler(@NotNull Channel channel, @NotNull Tls tls, @NotNull SslContext sslContext) throws SslException {
        SslHandler sslHandler = new SslHandler(getSslEngine(channel, tls, sslContext));
        sslHandler.setHandshakeTimeoutMillis(tls.getHandshakeTimeout());
        return sslHandler;
    }

    @NotNull
    protected SSLEngine getSslEngine(@NotNull Channel channel, @NotNull Tls tls, @NotNull SslContext sslContext) throws SslException {
        SSLEngine newEngine = sslContext.newEngine(channel.alloc());
        enableProtocols(newEngine, tls.getProtocols());
        newEngine.setUseClientMode(false);
        if (Tls.ClientAuthMode.REQUIRED.equals(tls.getClientAuthMode())) {
            newEngine.setNeedClientAuth(true);
        }
        if (Tls.ClientAuthMode.OPTIONAL.equals(tls.getClientAuthMode())) {
            newEngine.setWantClientAuth(true);
        }
        return newEngine;
    }

    @NotNull
    public SslContext getSslContext(@NotNull Tls tls) throws SslException {
        try {
            SslContext sslContext = this.sslContextStore.get(tls);
            if (sslContext != null) {
                return sslContext;
            }
            SslContext createSslContext = this.sslContextFactory.createSslContext(tls);
            this.sslContextStore.put(tls, createSslContext);
            return createSslContext;
        } catch (SSLException e) {
            throw new SslException("Not able to create SSL server context", e);
        }
    }

    public void verifySslAtBootstrap(@NotNull Listener listener, @NotNull Tls tls) {
        HashSet difference;
        try {
            if (!this.sslContextStore.contains(tls)) {
                SslContext createSslContext = this.sslContextFactory.createSslContext(tls);
                this.sslContextStore.putAtStart(tls, createSslContext);
                SSLEngine newEngine = createSslContext.newEngine(new PooledByteBufAllocator());
                enableProtocols(newEngine, tls.getProtocols());
                log.info("Enabled protocols for {} at address {} and port {}: {}", new Object[]{listener.readableName(), listener.getBindAddress(), Integer.valueOf(listener.getPort()), Arrays.toString(newEngine.getEnabledProtocols())});
                String[] enabledCipherSuites = newEngine.getEnabledCipherSuites();
                log.info("Enabled cipher suites for {} at address {} and port {}: {}", new Object[]{listener.readableName(), listener.getBindAddress(), Integer.valueOf(listener.getPort()), Arrays.toString(enabledCipherSuites)});
                List<String> cipherSuites = tls.getCipherSuites();
                if (cipherSuites.size() > 0) {
                    if (createSslContext instanceof OpenSslServerContext) {
                        HashSet hashSet = new HashSet();
                        for (String str : enabledCipherSuites) {
                            hashSet.add(str.substring(4));
                        }
                        difference = new HashSet();
                        for (String str2 : cipherSuites) {
                            if (str2 != null) {
                                if (!hashSet.contains(str2.substring(4))) {
                                    difference.add(str2);
                                }
                            }
                        }
                    } else {
                        difference = Sets.difference(ImmutableSet.copyOf(cipherSuites), ImmutableSet.copyOf(enabledCipherSuites));
                    }
                    if (difference.size() > 0) {
                        log.warn("Unknown cipher suites for {} at address {} and port {}: {}", new Object[]{listener.readableName(), listener.getBindAddress(), Integer.valueOf(listener.getPort()), difference});
                    }
                }
            }
        } catch (Exception e) {
            log.error("Not able to create SSL server context. Reason: {}", e.getMessage());
            log.debug("Original exception", e);
            throw new UnrecoverableException(false);
        }
    }

    private void enableProtocols(@NotNull SSLEngine sSLEngine, @NotNull List<String> list) {
        if (list.size() > 0) {
            sSLEngine.setEnabledProtocols((String[]) list.toArray(new String[list.size()]));
        }
    }
}
