package com.netflix.zuul.netty.ssl;

import com.google.errorprone.annotations.ForOverride;
import com.netflix.config.DynamicBooleanProperty;
import com.netflix.netty.common.ssl.ServerSslConfig;
import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spectator.api.patterns.PolledMeter;
import io.netty.handler.ssl.CipherSuiteFilter;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.OpenSslSessionStats;
import io.netty.handler.ssl.ReferenceCountedOpenSslContext;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import java.util.function.ToDoubleFunction;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/netflix/zuul/netty/ssl/BaseSslContextFactory.class */
public class BaseSslContextFactory implements SslContextFactory {
    private static final Logger LOG = LoggerFactory.getLogger(BaseSslContextFactory.class);
    private static final DynamicBooleanProperty ALLOW_USE_OPENSSL = new DynamicBooleanProperty("zuul.ssl.openssl.allow", true);
    protected final Registry spectatorRegistry;
    protected final ServerSslConfig serverSslConfig;

    public BaseSslContextFactory(Registry registry, ServerSslConfig serverSslConfig) {
        this.spectatorRegistry = (Registry) Objects.requireNonNull(registry);
        this.serverSslConfig = (ServerSslConfig) Objects.requireNonNull(serverSslConfig);
    }

    @Override // com.netflix.zuul.netty.ssl.SslContextFactory
    public SslContextBuilder createBuilderForServer() {
        try {
            List<X509Certificate> trustedX509Certificates = getTrustedX509Certificates();
            SslProvider chooseSslProvider = chooseSslProvider();
            LOG.debug("Using SslProvider of type {}", chooseSslProvider.name());
            SslContextBuilder sslProvider = newBuilderForServer().ciphers(getCiphers(), getCiphersFilter()).sessionTimeout(this.serverSslConfig.getSessionTimeout()).sslProvider(chooseSslProvider);
            if (this.serverSslConfig.getClientAuth() != null && trustedX509Certificates != null && !trustedX509Certificates.isEmpty()) {
                sslProvider = sslProvider.trustManager((X509Certificate[]) trustedX509Certificates.toArray(new X509Certificate[0])).clientAuth(this.serverSslConfig.getClientAuth());
            }
            return sslProvider;
        } catch (Exception e) {
            throw new RuntimeException("Error configuring SslContext!", e);
        }
    }

    @ForOverride
    protected SslContextBuilder newBuilderForServer() throws IOException {
        LOG.debug("Using certChainFile {}", this.serverSslConfig.getCertChainFile());
        InputStream keyInputStream = getKeyInputStream();
        try {
            FileInputStream fileInputStream = new FileInputStream(this.serverSslConfig.getCertChainFile());
            try {
                SslContextBuilder forServer = SslContextBuilder.forServer(fileInputStream, keyInputStream);
                fileInputStream.close();
                if (keyInputStream != null) {
                    keyInputStream.close();
                }
                return forServer;
            } finally {
            }
        } catch (Throwable th) {
            if (keyInputStream != null) {
                try {
                    keyInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.netflix.zuul.netty.ssl.SslContextFactory
    public void enableSessionTickets(SslContext sslContext) {
    }

    @Override // com.netflix.zuul.netty.ssl.SslContextFactory
    public void configureOpenSslStatsMetrics(SslContext sslContext, String str) {
        if (sslContext instanceof ReferenceCountedOpenSslContext) {
            OpenSslSessionStats stats = ((ReferenceCountedOpenSslContext) sslContext).sessionContext().stats();
            openSslStatGauge(stats, str, "accept", (v0) -> {
                return v0.accept();
            });
            openSslStatGauge(stats, str, "accept_good", (v0) -> {
                return v0.acceptGood();
            });
            openSslStatGauge(stats, str, "accept_renegotiate", (v0) -> {
                return v0.acceptRenegotiate();
            });
            openSslStatGauge(stats, str, "number", (v0) -> {
                return v0.number();
            });
            openSslStatGauge(stats, str, "connect", (v0) -> {
                return v0.connect();
            });
            openSslStatGauge(stats, str, "connect_good", (v0) -> {
                return v0.connectGood();
            });
            openSslStatGauge(stats, str, "connect_renegotiate", (v0) -> {
                return v0.connectRenegotiate();
            });
            openSslStatGauge(stats, str, "hits", (v0) -> {
                return v0.hits();
            });
            openSslStatGauge(stats, str, "cb_hits", (v0) -> {
                return v0.cbHits();
            });
            openSslStatGauge(stats, str, "misses", (v0) -> {
                return v0.misses();
            });
            openSslStatGauge(stats, str, "timeouts", (v0) -> {
                return v0.timeouts();
            });
            openSslStatGauge(stats, str, "cache_full", (v0) -> {
                return v0.cacheFull();
            });
            openSslStatGauge(stats, str, "ticket_key_fail", (v0) -> {
                return v0.ticketKeyFail();
            });
            openSslStatGauge(stats, str, "ticket_key_new", (v0) -> {
                return v0.ticketKeyNew();
            });
            openSslStatGauge(stats, str, "ticket_key_renew", (v0) -> {
                return v0.ticketKeyRenew();
            });
            openSslStatGauge(stats, str, "ticket_key_resume", (v0) -> {
                return v0.ticketKeyResume();
            });
        }
    }

    private void openSslStatGauge(OpenSslSessionStats openSslSessionStats, String str, String str2, ToDoubleFunction<OpenSslSessionStats> toDoubleFunction) {
        Id createId = this.spectatorRegistry.createId("server.ssl.stats", new String[]{"id", str, "stat", str2});
        ((PolledMeter.Builder) PolledMeter.using(this.spectatorRegistry).withId(createId)).monitorValue(openSslSessionStats, toDoubleFunction);
        LOG.debug("Registered spectator gauge - {}", createId.name());
    }

    public static SslProvider chooseSslProvider() {
        return (ALLOW_USE_OPENSSL.get() && OpenSsl.isAvailable() && SslProvider.isAlpnSupported(SslProvider.OPENSSL)) ? SslProvider.OPENSSL : SslProvider.JDK;
    }

    public ServerSslConfig getServerSslConfig() {
        return this.serverSslConfig;
    }

    @Override // com.netflix.zuul.netty.ssl.SslContextFactory
    public String[] getProtocols() {
        return this.serverSslConfig.getProtocols();
    }

    @Override // com.netflix.zuul.netty.ssl.SslContextFactory
    public List<String> getCiphers() throws NoSuchAlgorithmException {
        return this.serverSslConfig.getCiphers();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CipherSuiteFilter getCiphersFilter() {
        return SupportedCipherSuiteFilter.INSTANCE;
    }

    protected List<X509Certificate> getTrustedX509Certificates() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
        byte[] readAllBytes;
        ArrayList arrayList = new ArrayList();
        if (this.serverSslConfig.getClientAuth() == ClientAuth.REQUIRE || this.serverSslConfig.getClientAuth() == ClientAuth.OPTIONAL) {
            if (this.serverSslConfig.getClientAuthTrustStorePassword() != null) {
                readAllBytes = Base64.getDecoder().decode(this.serverSslConfig.getClientAuthTrustStorePassword());
            } else {
                if (this.serverSslConfig.getClientAuthTrustStorePasswordFile() == null) {
                    throw new IllegalArgumentException("Must specify either ClientAuthTrustStorePassword or ClientAuthTrustStorePasswordFile!");
                }
                readAllBytes = Files.readAllBytes(this.serverSslConfig.getClientAuthTrustStorePasswordFile().toPath());
            }
            String truststorePassword = getTruststorePassword(readAllBytes);
            if (0 != 0) {
                LOG.debug("X509Cert Trust Store Password {}", truststorePassword);
            }
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(this.serverSslConfig.getClientAuthTrustStoreFile()), truststorePassword.toCharArray());
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                arrayList.add((X509Certificate) keyStore.getCertificate(aliases.nextElement()));
            }
        }
        return arrayList;
    }

    protected String getTruststorePassword(byte[] bArr) {
        return new String(bArr, StandardCharsets.UTF_8).trim();
    }

    protected InputStream getKeyInputStream() throws IOException {
        return new FileInputStream(this.serverSslConfig.getKeyFile());
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
