package com.navercorp.pinpoint.grpc.security;

import com.navercorp.pinpoint.common.util.CollectionUtils;
import com.navercorp.pinpoint.common.util.StringUtils;
import com.navercorp.pinpoint.grpc.util.Resource;
import io.grpc.netty.GrpcSslContexts;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import java.security.KeyStore;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:docker/agent_pinpoint/lib/pinpoint-grpc-2.5.1-p1.jar:com/navercorp/pinpoint/grpc/security/SslContextFactory.class */
public final class SslContextFactory {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) SslContextFactory.class);

    public static SslContext create(SslServerConfig sslServerConfig) throws SSLException {
        Objects.requireNonNull(sslServerConfig, "serverConfig");
        SslProvider sslProvider = getSslProvider(sslServerConfig.getSslProviderType());
        try {
            SslContext createSslContext = createSslContext(SslContextBuilder.forServer(sslServerConfig.getKeyCertChainResource().getInputStream(), sslServerConfig.getKeyResource().getInputStream()), sslProvider);
            assertValidCipherSuite(createSslContext);
            return createSslContext;
        } catch (SSLException e) {
            throw e;
        } catch (Exception e2) {
            throw new SSLException(e2);
        }
    }

    public static SslContext create(SslClientConfig sslClientConfig) throws SSLException {
        Objects.requireNonNull(sslClientConfig, "clientConfig");
        if (!sslClientConfig.isEnable()) {
            throw new IllegalArgumentException("sslConfig is disabled.");
        }
        SslProvider sslProvider = getSslProvider(sslClientConfig.getSslProviderType());
        try {
            SslContextBuilder forClient = SslContextBuilder.forClient();
            Resource trustCertResource = sslClientConfig.getTrustCertResource();
            if (trustCertResource != null) {
                forClient.trustManager(trustCertResource.getInputStream());
            } else {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init((KeyStore) null);
                forClient.trustManager(trustManagerFactory);
            }
            SslContext createSslContext = createSslContext(forClient, sslProvider);
            assertValidCipherSuite(createSslContext);
            return createSslContext;
        } catch (SSLException e) {
            throw e;
        } catch (Exception e2) {
            throw new SSLException(e2);
        }
    }

    private static SslContext createSslContext(SslContextBuilder sslContextBuilder, SslProvider sslProvider) throws SSLException {
        sslContextBuilder.sslProvider(sslProvider);
        sslContextBuilder.protocols((String[]) SecurityConstants.DEFAULT_SUPPORT_PROTOCOLS.toArray(new String[0]));
        sslContextBuilder.ciphers(SecurityConstants.DEFAULT_SUPPORT_CIPHER_SUITE, SupportedCipherSuiteFilter.INSTANCE);
        return GrpcSslContexts.configure(sslContextBuilder, sslProvider).build();
    }

    private static void assertValidCipherSuite(SslContext sslContext) throws SSLException {
        Objects.requireNonNull(sslContext, "sslContext must not be null");
        List<String> cipherSuites = sslContext.cipherSuites();
        if (CollectionUtils.isEmpty(cipherSuites)) {
            throw new SSLException("cipherSuites must not be empty");
        }
        for (String str : cipherSuites) {
            if (SecurityConstants.BAD_CIPHER_SUITE_LIST.contains(str)) {
                throw new SSLException(str + " is not safe. Please check this url.(https://httpwg.org/specs/rfc7540.html#BadCipherSuites)");
            }
        }
        LOGGER.info("Support cipher list : {} {}", sslContext, cipherSuites);
    }

    static SslProvider getSslProvider(String str) throws SSLException {
        if (!StringUtils.isEmpty(str) && !SslProvider.OPENSSL.name().equalsIgnoreCase(str)) {
            if (SslProvider.JDK.name().equalsIgnoreCase(str)) {
                return SslProvider.JDK;
            }
            throw new SSLException("can't find SslProvider. value:" + str);
        }
        return SslProvider.OPENSSL;
    }
}
