package org.apache.dubbo.remoting.api;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.InputStream;
import java.security.Provider;
import java.security.Security;
import javax.net.ssl.SSLException;
import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.logger.Logger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.config.SslConfig;
import org.apache.dubbo.rpc.model.ApplicationModel;

/* loaded from: input_file:org/apache/dubbo/remoting/api/SslContexts.class */
public class SslContexts {
    private static final Logger logger = LoggerFactory.getLogger(SslContexts.class);

    public static SslContext buildServerSslContext(URL url) {
        SslConfig sslConfig = (SslConfig) ApplicationModel.getConfigManager().getSsl().orElseThrow(() -> {
            return new IllegalStateException("Ssl enabled, but no ssl cert information provided!");
        });
        try {
            String serverKeyPassword = sslConfig.getServerKeyPassword();
            SslContextBuilder forServer = serverKeyPassword != null ? SslContextBuilder.forServer(sslConfig.getServerKeyCertChainPathStream(), sslConfig.getServerPrivateKeyPathStream(), serverKeyPassword) : SslContextBuilder.forServer(sslConfig.getServerKeyCertChainPathStream(), sslConfig.getServerPrivateKeyPathStream());
            if (sslConfig.getServerTrustCertCollectionPathStream() != null) {
                forServer.trustManager(sslConfig.getServerTrustCertCollectionPathStream());
                forServer.clientAuth(ClientAuth.REQUIRE);
            }
            try {
                return forServer.sslProvider(findSslProvider()).build();
            } catch (SSLException e) {
                throw new IllegalStateException("Build SslSession failed.", e);
            }
        } catch (Exception e2) {
            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e2);
        }
    }

    public static SslContext buildClientSslContext(URL url) {
        SslConfig sslConfig = (SslConfig) ApplicationModel.getConfigManager().getSsl().orElseThrow(() -> {
            return new IllegalStateException("Ssl enabled, but no ssl cert information provided!");
        });
        SslContextBuilder forClient = SslContextBuilder.forClient();
        try {
            if (sslConfig.getClientTrustCertCollectionPathStream() != null) {
                forClient.trustManager(sslConfig.getClientTrustCertCollectionPathStream());
            }
            InputStream clientKeyCertChainPathStream = sslConfig.getClientKeyCertChainPathStream();
            InputStream clientPrivateKeyPathStream = sslConfig.getClientPrivateKeyPathStream();
            if (clientKeyCertChainPathStream != null && clientPrivateKeyPathStream != null) {
                String clientKeyPassword = sslConfig.getClientKeyPassword();
                if (clientKeyPassword != null) {
                    forClient.keyManager(clientKeyCertChainPathStream, clientPrivateKeyPathStream, clientKeyPassword);
                } else {
                    forClient.keyManager(clientKeyCertChainPathStream, clientPrivateKeyPathStream);
                }
            }
            try {
                return forClient.sslProvider(findSslProvider()).build();
            } catch (SSLException e) {
                throw new IllegalStateException("Build SslSession failed.", e);
            }
        } catch (Exception e2) {
            throw new IllegalArgumentException("Could not find certificate file or find invalid certificate.", e2);
        }
    }

    private static SslConfig getSslConfig() {
        return (SslConfig) ApplicationModel.getConfigManager().getSsl().orElseThrow(() -> {
            return new IllegalStateException("Ssl enabled, but no ssl cert information provided!");
        });
    }

    private static SslProvider findSslProvider() {
        if (OpenSsl.isAvailable()) {
            logger.info("Using OPENSSL provider.");
            return SslProvider.OPENSSL;
        }
        if (!checkJdkProvider()) {
            throw new IllegalStateException("Could not find any valid TLS provider, please check your dependency or deployment environment, usually netty-tcnative, Conscrypt, or Jetty NPN/ALPN is needed.");
        }
        logger.info("Using JDK provider.");
        return SslProvider.JDK;
    }

    private static boolean checkJdkProvider() {
        Provider[] providers = Security.getProviders("SSLContext.TLS");
        return providers != null && providers.length > 0;
    }
}
