package com.netflix.zuul.netty.server.psk;

import com.google.common.primitives.Bytes;
import com.netflix.spectator.api.Registry;
import com.netflix.spectator.api.Timer;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslCloseCompletionEvent;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.AttributeKey;
import java.io.IOException;
import java.util.Hashtable;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.Vector;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import org.bouncycastle.tls.AbstractTlsServer;
import org.bouncycastle.tls.AlertDescription;
import org.bouncycastle.tls.AlertLevel;
import org.bouncycastle.tls.BasicTlsPSKExternal;
import org.bouncycastle.tls.ProtocolName;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.PskIdentity;
import org.bouncycastle.tls.TlsCredentials;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsPSKExternal;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/netflix/zuul/netty/server/psk/ZuulPskServer.class */
public class ZuulPskServer extends AbstractTlsServer {
    private static final Logger LOGGER = LoggerFactory.getLogger(ZuulPskServer.class);
    public static final AttributeKey<Boolean> TLS_HANDSHAKE_USING_EXTERNAL_PSK = AttributeKey.newInstance("_tls_handshake_using_external_psk");
    private final PSKTimings pskTimings;
    private final ExternalTlsPskProvider externalTlsPskProvider;
    private final ChannelHandlerContext ctx;
    private final Set<ProtocolName> supportedApplicationProtocols;

    /* loaded from: input_file:com/netflix/zuul/netty/server/psk/ZuulPskServer$PSKTimings.class */
    private static class PSKTimings {
        private final Timer handshakeCompleteTimer;
        private Long handshakeStartTime;

        PSKTimings(Registry registry) {
            this.handshakeCompleteTimer = registry.timer("zuul.psk.handshake.complete.time");
        }

        public void recordHandshakeStarting() {
            this.handshakeStartTime = Long.valueOf(System.nanoTime());
        }

        public void recordHandshakeComplete() {
            this.handshakeCompleteTimer.record(System.nanoTime() - this.handshakeStartTime.longValue(), TimeUnit.NANOSECONDS);
        }
    }

    public ZuulPskServer(TlsCrypto tlsCrypto, Registry registry, ExternalTlsPskProvider externalTlsPskProvider, ChannelHandlerContext channelHandlerContext, Set<ProtocolName> set) {
        super(tlsCrypto);
        this.pskTimings = new PSKTimings(registry);
        this.externalTlsPskProvider = externalTlsPskProvider;
        this.ctx = channelHandlerContext;
        this.supportedApplicationProtocols = set;
    }

    public TlsCredentials getCredentials() {
        return null;
    }

    protected Vector getProtocolNames() {
        Vector vector = new Vector();
        if (this.supportedApplicationProtocols != null) {
            Set<ProtocolName> set = this.supportedApplicationProtocols;
            Objects.requireNonNull(vector);
            set.forEach((v1) -> {
                r1.addElement(v1);
            });
        }
        return vector;
    }

    public void notifyHandshakeBeginning() throws IOException {
        this.pskTimings.recordHandshakeStarting();
        this.ctx.channel().attr(TLS_HANDSHAKE_USING_EXTERNAL_PSK).set(false);
        super.notifyHandshakeBeginning();
    }

    public void notifyHandshakeComplete() throws IOException {
        this.pskTimings.recordHandshakeComplete();
        this.ctx.channel().attr(TLS_HANDSHAKE_USING_EXTERNAL_PSK).set(true);
        super.notifyHandshakeComplete();
        this.ctx.fireUserEventTriggered(SslHandshakeCompletionEvent.SUCCESS);
    }

    protected ProtocolVersion[] getSupportedVersions() {
        return ProtocolVersion.TLSv13.only();
    }

    protected int[] getSupportedCipherSuites() {
        return TlsUtils.getSupportedCipherSuites(getCrypto(), TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP.keySet().stream().mapToInt((v0) -> {
            return v0.intValue();
        }).toArray());
    }

    public ProtocolVersion getServerVersion() throws IOException {
        return super.getServerVersion();
    }

    public TlsPSKExternal getExternalPSK(Vector vector) {
        byte[] identity = ((PskIdentity) vector.get(0)).getIdentity();
        try {
            this.ctx.channel().attr(TlsPskHandler.CLIENT_PSK_IDENTITY_ATTRIBUTE_KEY).set(new ClientPSKIdentityInfo(List.copyOf(Bytes.asList(identity))));
            return new BasicTlsPSKExternal(identity, getCrypto().createSecret(this.externalTlsPskProvider.provide(identity, this.context.getSecurityParametersHandshake().getClientRandom())), getPRFAlgorithm13(getSelectedCipherSuite()));
        } catch (PskCreationFailureException e) {
            switch (e.getTlsAlertMessage()) {
                case unknown_psk_identity:
                    throw new TlsFatalAlert((short) 115, "Unknown or null client PSk identity");
                case decrypt_error:
                    throw new TlsFatalAlert((short) 51, "Invalid or expired client PSk identity");
                default:
                    throw new MatchException((String) null, (Throwable) null);
            }
        }
    }

    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        Consumer consumer;
        super.notifyAlertRaised(s, s2, str, th);
        if (s == 2) {
            Logger logger = LOGGER;
            Objects.requireNonNull(logger);
            consumer = logger::error;
        } else {
            Logger logger2 = LOGGER;
            Objects.requireNonNull(logger2);
            consumer = logger2::debug;
        }
        Consumer consumer2 = consumer;
        consumer2.accept("TLS/PSK server raised alert: " + AlertLevel.getText(s) + ", " + AlertDescription.getText(s2));
        if (str != null) {
            consumer2.accept("> " + str);
        }
        if (th != null) {
            LOGGER.error("TLS/PSK alert stacktrace", th);
        }
        if (s2 == 0) {
            this.ctx.fireUserEventTriggered(SslCloseCompletionEvent.SUCCESS);
        }
    }

    public void notifyAlertReceived(short s, short s2) {
        Consumer consumer;
        if (s == 2) {
            Logger logger = LOGGER;
            Objects.requireNonNull(logger);
            consumer = logger::error;
        } else {
            Logger logger2 = LOGGER;
            Objects.requireNonNull(logger2);
            consumer = logger2::debug;
        }
        consumer.accept("TLS 1.3 PSK server received alert: " + AlertLevel.getText(s) + ", " + AlertDescription.getText(s2));
    }

    public void processClientExtensions(Hashtable hashtable) throws IOException {
        if (this.context.getSecurityParametersHandshake().getClientRandom() == null) {
            throw new TlsFatalAlert((short) 80);
        }
        super.processClientExtensions(hashtable);
    }

    public Hashtable getServerExtensions() throws IOException {
        if (this.context.getSecurityParametersHandshake().getServerRandom() == null) {
            throw new TlsFatalAlert((short) 80);
        }
        return super.getServerExtensions();
    }

    public void getServerExtensionsForConnection(Hashtable hashtable) throws IOException {
        if (this.context.getSecurityParametersHandshake().getServerRandom() == null) {
            throw new TlsFatalAlert((short) 80);
        }
        super.getServerExtensionsForConnection(hashtable);
    }

    public String getApplicationProtocol() {
        ProtocolName applicationProtocol = this.context.getSecurityParametersConnection().getApplicationProtocol();
        if (applicationProtocol != null) {
            return applicationProtocol.getUtf8Decoding();
        }
        return null;
    }

    private static int getPRFAlgorithm13(int i) {
        switch (i) {
            case 198:
            case 199:
                return 7;
            case 4865:
            case 4867:
            case 4868:
            case 4869:
                return 4;
            case 4866:
                return 5;
            default:
                return -1;
        }
    }
}
