package com.hivemq.security.ssl;

import com.hivemq.bootstrap.ClientConnection;
import com.hivemq.bootstrap.netty.ChannelHandlerNames;
import com.hivemq.configuration.service.entity.Tls;
import com.hivemq.extension.sdk.api.annotations.NotNull;
import com.hivemq.mqtt.handler.disconnect.MqttServerDisconnector;
import com.hivemq.util.ChannelAttributes;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/hivemq/security/ssl/SslClientCertificateHandler.class */
public class SslClientCertificateHandler extends ChannelInboundHandlerAdapter {
    private static final Logger log = LoggerFactory.getLogger(SslClientCertificateHandler.class);

    @NotNull
    private final Tls tls;

    @NotNull
    private final MqttServerDisconnector mqttServerDisconnector;

    public SslClientCertificateHandler(@NotNull Tls tls, @NotNull MqttServerDisconnector mqttServerDisconnector) {
        this.tls = tls;
        this.mqttServerDisconnector = mqttServerDisconnector;
    }

    public void userEventTriggered(@NotNull ChannelHandlerContext channelHandlerContext, @NotNull Object obj) throws Exception {
        if (!(obj instanceof SslHandshakeCompletionEvent)) {
            super.userEventTriggered(channelHandlerContext, obj);
            return;
        }
        SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) obj;
        if (!sslHandshakeCompletionEvent.isSuccess()) {
            log.trace("Handshake failed", sslHandshakeCompletionEvent.cause());
            return;
        }
        Channel channel = channelHandlerContext.channel();
        try {
            ((ClientConnection) channel.attr(ChannelAttributes.CLIENT_CONNECTION).get()).setAuthCertificate(new SslClientCertificateImpl(channel.pipeline().get(ChannelHandlerNames.SSL_HANDLER).engine().getSession().getPeerCertificates()));
        } catch (ClassCastException e) {
            this.mqttServerDisconnector.logAndClose(channel, null, "SSL handshake failed");
            throw new RuntimeException("Not able to get SslHandler from pipeline", e);
        } catch (SSLPeerUnverifiedException e2) {
            handleSslPeerUnverifiedException(channel, e2);
        }
        channel.pipeline().remove(this);
    }

    private void handleSslPeerUnverifiedException(@NotNull Channel channel, SSLPeerUnverifiedException sSLPeerUnverifiedException) {
        if (!"peer not authenticated".equals(sSLPeerUnverifiedException.getMessage()) && !"peer not verified".equals(sSLPeerUnverifiedException.getMessage())) {
            log.error("An error occurred. Disconnecting client.", sSLPeerUnverifiedException);
            this.mqttServerDisconnector.logAndClose(channel, null, "SSL handshake failed");
        } else if (Tls.ClientAuthMode.REQUIRED.equals(this.tls.getClientAuthMode())) {
            log.error("Client certificate authentication forced but no client certificate was provided. Disconnecting.", sSLPeerUnverifiedException);
            this.mqttServerDisconnector.logAndClose(channel, null, "No client certificate provided");
        } else if (Tls.ClientAuthMode.OPTIONAL.equals(this.tls.getClientAuthMode())) {
            log.debug("Client did not provide SSL certificate for authentication. Could not authenticate at application level");
        }
    }
}
