package com.hazelcast.nio.ssl;

import com.hazelcast.cluster.Address;
import com.hazelcast.config.InvalidConfigurationException;
import com.hazelcast.internal.nio.ssl.SSLEngineFactorySupport;
import com.hazelcast.internal.util.ExceptionUtil;
import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.Logger;
import io.netty.buffer.UnpooledByteBufAllocator;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.internal.tcnative.SSL;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/nio/ssl/OpenSSLEngineFactory.class */
public class OpenSSLEngineFactory extends SSLEngineFactorySupport implements SSLEngineFactory {
    public static final String KEY_FILE = "keyFile";
    public static final String KEY_PASSWORD = "keyPassword";
    public static final String KEY_CERT_CHAIN_FILE = "keyCertChainFile";
    public static final String TRUST_CERT_COLLECTION_FILE = "trustCertCollectionFile";
    public static final String FIPS_MODE = "fipsMode";
    private final ILogger logger = Logger.getLogger(OpenSSLEngineFactory.class);
    private List<String> cipherSuites;
    private ClientAuth clientAuth;
    private String keyCertChainFile;
    private String keyFile;
    private String keyPassword;
    private String trustCertCollectionFile;

    List<String> getCipherSuites() {
        return this.cipherSuites;
    }

    @Override // com.hazelcast.nio.ssl.SSLEngineFactory
    public void init(Properties properties, boolean z) throws Exception {
        load(properties);
        this.keyFile = getProperty(properties, KEY_FILE);
        this.keyPassword = getProperty(properties, KEY_PASSWORD);
        this.keyCertChainFile = getProperty(properties, KEY_CERT_CHAIN_FILE);
        this.trustCertCollectionFile = getProperty(properties, TRUST_CERT_COLLECTION_FILE);
        this.cipherSuites = loadCipherSuites(properties);
        this.protocol = loadProtocol(properties);
        this.clientAuth = loadClientAuth(properties);
        OpenSsl.ensureAvailability();
        if (Boolean.valueOf(getProperty(properties, FIPS_MODE)).booleanValue()) {
            this.logger.info("Enabling OpenSSL in FIPS mode.");
            SSL.fipsModeSet(1);
            this.logger.info("OpenSSL is enabled in FIPS mode.");
        }
        logInit();
        sanityCheck(z);
    }

    private void logInit() {
        this.logger.info("Using OpenSSL for SSL encryption.");
        if (this.logger.isFineEnabled()) {
            this.logger.fine("ciphersuites: " + (this.cipherSuites.isEmpty() ? "default" : this.cipherSuites));
            this.logger.fine("clientAuth: " + this.clientAuth);
        }
    }

    private String loadProtocol(Properties properties) {
        String property = getProperty(properties, "protocol", "TLSv1.2");
        if ("TLS".equals(property)) {
            property = "TLSv1.2";
            this.logger.warning("Protocol [TLS] has been cast to [TLSv1.2]");
        } else if ("SSL".equals(property)) {
            property = "SSLv3";
            this.logger.warning("Protocol [SSL] has been cast to [SSLv3]");
        }
        return property;
    }

    private void sanityCheck(boolean z) throws SSLException {
        if (z) {
            sanityCheck0(true);
        } else {
            sanityCheck0(false);
            sanityCheck0(true);
        }
    }

    private void sanityCheck0(boolean z) throws SSLException {
        SSLEngine create = create(z, null);
        create.closeInbound();
        create.closeOutbound();
    }

    private List<String> loadCipherSuites(Properties properties) {
        String[] split = getProperty(properties, "ciphersuites", "").split(",");
        ArrayList arrayList = new ArrayList(split.length);
        for (String str : split) {
            String trim = str.trim();
            if (trim.length() > 0) {
                arrayList.add(trim);
            }
        }
        return arrayList;
    }

    private ClientAuth loadClientAuth(Properties properties) {
        String property = getProperty(properties, "mutualAuthentication");
        if (property == null) {
            return ClientAuth.NONE;
        }
        if ("REQUIRED".equals(property)) {
            return ClientAuth.REQUIRE;
        }
        if ("OPTIONAL".equals(property)) {
            return ClientAuth.OPTIONAL;
        }
        throw new IllegalArgumentException(String.format("Unrecognized value [%s] for [%s]", property, "javax.net.ssl.mutualAuthentication"));
    }

    @Override // com.hazelcast.nio.ssl.SSLEngineFactory
    public SSLEngine create(boolean z, Address address) {
        try {
            SslContext createSslContext = createSslContext(z);
            SSLEngine newEngine = address == null ? createSslContext.newEngine(UnpooledByteBufAllocator.DEFAULT) : createSslContext.newEngine(UnpooledByteBufAllocator.DEFAULT, address.getHost(), address.getPort());
            newEngine.setEnabledProtocols(new String[]{this.protocol});
            return newEngine;
        } catch (IllegalArgumentException e) {
            if (e.getMessage() != null && e.getMessage().contains("Protocol") && e.getMessage().contains("is not supported")) {
                throw new InvalidConfigurationException(e.getMessage(), e);
            }
            throw ExceptionUtil.sneakyThrow(e);
        } catch (SSLException e2) {
            if (e2.getMessage() == null || !e2.getMessage().contains("cipher suite")) {
                throw new RuntimeException(e2);
            }
            throw new InvalidConfigurationException(e2.getMessage(), e2);
        }
    }

    protected SslContext createSslContext(boolean z) throws SSLException {
        SslContextBuilder createSslContextBuilder = createSslContextBuilder(z);
        if (this.trustCertCollectionFile != null) {
            createSslContextBuilder.trustManager(new File(this.trustCertCollectionFile));
        } else {
            createSslContextBuilder.trustManager(this.tmf);
        }
        if (!this.cipherSuites.isEmpty()) {
            createSslContextBuilder.ciphers(this.cipherSuites);
        }
        createSslContextBuilder.sslProvider(SslProvider.OPENSSL);
        return createSslContextBuilder.build();
    }

    private SslContextBuilder createSslContextBuilder(boolean z) {
        SslContextBuilder forServer;
        File file = this.keyCertChainFile != null ? new File(this.keyCertChainFile) : null;
        File file2 = this.keyFile != null ? new File(this.keyFile) : null;
        if (z) {
            forServer = SslContextBuilder.forClient();
            if (file2 != null) {
                forServer.keyManager(file, file2, this.keyPassword);
            } else {
                forServer.keyManager(this.kmf);
            }
        } else {
            forServer = file2 != null ? SslContextBuilder.forServer(file, file2, this.keyPassword) : SslContextBuilder.forServer(this.kmf);
            forServer.clientAuth(this.clientAuth);
        }
        return forServer;
    }
}
