package com.netflix.zuul.netty.server.psk;

import com.netflix.spectator.api.Registry;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPromise;
import io.netty.util.AttributeKey;
import io.netty.util.ReferenceCountUtil;
import java.security.SecureRandom;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLSession;
import org.bouncycastle.tls.ProtocolName;
import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider;

/* loaded from: input_file:com/netflix/zuul/netty/server/psk/TlsPskHandler.class */
public class TlsPskHandler extends ChannelDuplexHandler {
    public static final Map<Integer, String> SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP = Map.of(4865, "TLS_AES_128_GCM_SHA256", 4866, "TLS_AES_256_GCM_SHA384");
    public static final AttributeKey<ClientPSKIdentityInfo> CLIENT_PSK_IDENTITY_ATTRIBUTE_KEY = AttributeKey.newInstance("_client_psk_identity_info");
    public static final SecureRandom secureRandom = new SecureRandom();
    private final Registry registry;
    private final ExternalTlsPskProvider externalTlsPskProvider;
    private final Set<ProtocolName> supportedApplicationProtocols;
    private final TlsPskServerProtocol tlsPskServerProtocol = new TlsPskServerProtocol();
    private ZuulPskServer tlsPskServer;

    public TlsPskHandler(Registry registry, ExternalTlsPskProvider externalTlsPskProvider, Set<ProtocolName> set) {
        this.registry = registry;
        this.externalTlsPskProvider = externalTlsPskProvider;
        this.supportedApplicationProtocols = set;
    }

    public void write(ChannelHandlerContext channelHandlerContext, Object obj, ChannelPromise channelPromise) throws Exception {
        if (!(obj instanceof ByteBuf)) {
            ReferenceCountUtil.safeRelease(obj);
            channelPromise.setFailure(new IllegalStateException("Failed to write message on the channel. Message is not a ByteBuf"));
            return;
        }
        byte[] appDataBytesAndRelease = TlsPskUtils.getAppDataBytesAndRelease((ByteBuf) obj);
        this.tlsPskServerProtocol.writeApplicationData(appDataBytesAndRelease, 0, appDataBytesAndRelease.length);
        int availableOutputBytes = this.tlsPskServerProtocol.getAvailableOutputBytes();
        if (availableOutputBytes != 0) {
            byte[] bArr = new byte[availableOutputBytes];
            this.tlsPskServerProtocol.readOutput(bArr, 0, availableOutputBytes);
            channelHandlerContext.writeAndFlush(Unpooled.wrappedBuffer(bArr), channelPromise).addListener(ChannelFutureListener.FIRE_EXCEPTION_ON_FAILURE);
        }
    }

    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        channelHandlerContext.pipeline().addBefore(channelHandlerContext.name(), "tls_psk_handler", new TlsPskDecoder(this.tlsPskServerProtocol));
    }

    public void channelRegistered(ChannelHandlerContext channelHandlerContext) throws Exception {
        this.tlsPskServer = new ZuulPskServer(new JcaTlsCryptoProvider().create(secureRandom), this.registry, this.externalTlsPskProvider, channelHandlerContext, this.supportedApplicationProtocols);
        this.tlsPskServerProtocol.accept(this.tlsPskServer);
        super.channelRegistered(channelHandlerContext);
    }

    public String getApplicationProtocol() {
        if (this.tlsPskServer != null) {
            return this.tlsPskServer.getApplicationProtocol();
        }
        return null;
    }

    public SSLSession getSession() {
        if (this.tlsPskServerProtocol != null) {
            return this.tlsPskServerProtocol.getSSLSession();
        }
        return null;
    }
}
