package datahub.shaded.org.apache.kafka.common.security.ssl;

import datahub.shaded.org.apache.commons.text.lookup.StringLookupFactory;
import datahub.shaded.org.apache.kafka.common.KafkaException;
import datahub.shaded.org.apache.kafka.common.Reconfigurable;
import datahub.shaded.org.apache.kafka.common.config.ConfigException;
import datahub.shaded.org.apache.kafka.common.config.SslConfigs;
import datahub.shaded.org.apache.kafka.common.config.types.Password;
import datahub.shaded.org.apache.kafka.common.network.Mode;
import datahub.shaded.org.apache.kafka.common.utils.Utils;
import datahub.shaded.slf4j.Logger;
import datahub.shaded.slf4j.LoggerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;
import org.springframework.validation.DefaultBindingErrorProcessor;

/* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/ssl/SslFactory.class */
public class SslFactory implements Reconfigurable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SslFactory.class);
    private final Mode mode;
    private final String clientAuthConfigOverride;
    private final boolean keystoreVerifiableUsingTruststore;
    private String protocol;
    private String provider;
    private String kmfAlgorithm;
    private String tmfAlgorithm;
    private SecurityStore keystore;
    private SecurityStore truststore;
    private String[] cipherSuites;
    private String[] enabledProtocols;
    private String endpointIdentification;
    private SecureRandom secureRandomImplementation;
    private SSLContext sslContext;
    private boolean needClientAuth;
    private boolean wantClientAuth;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: datahub.shaded.org.apache.kafka.common.security.ssl.SslFactory$1, reason: invalid class name */
    /* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/ssl/SslFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$Status;
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.FINISHED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$javax$net$ssl$SSLEngineResult$Status = new int[SSLEngineResult.Status.values().length];
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.OK.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_OVERFLOW.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_UNDERFLOW.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.CLOSED.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/ssl/SslFactory$CertificateEntries.class */
    public static class CertificateEntries {
        private final Principal subjectPrincipal;
        private final Set<List<?>> subjectAltNames;

        static List<CertificateEntries> create(KeyStore keyStore) throws GeneralSecurityException {
            Enumeration<String> aliases = keyStore.aliases();
            ArrayList arrayList = new ArrayList();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (certificate instanceof X509Certificate) {
                    arrayList.add(new CertificateEntries((X509Certificate) certificate));
                }
            }
            return arrayList;
        }

        CertificateEntries(X509Certificate x509Certificate) throws GeneralSecurityException {
            this.subjectPrincipal = x509Certificate.getSubjectX500Principal();
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            this.subjectAltNames = subjectAlternativeNames != null ? new HashSet<>(subjectAlternativeNames) : Collections.emptySet();
        }

        public int hashCode() {
            return Objects.hash(this.subjectPrincipal, this.subjectAltNames);
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof CertificateEntries)) {
                return false;
            }
            CertificateEntries certificateEntries = (CertificateEntries) obj;
            return Objects.equals(this.subjectPrincipal, certificateEntries.subjectPrincipal) && Objects.equals(this.subjectAltNames, certificateEntries.subjectAltNames);
        }

        public String toString() {
            return "subjectPrincipal=" + this.subjectPrincipal + ", subjectAltNames=" + this.subjectAltNames;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/ssl/SslFactory$SSLConfigValidatorEngine.class */
    public static class SSLConfigValidatorEngine {
        private static final ByteBuffer EMPTY_BUF = ByteBuffer.allocate(0);
        private final SSLEngine sslEngine;
        private SSLEngineResult handshakeResult;
        private ByteBuffer appBuffer;
        private ByteBuffer netBuffer;

        static void validate(SslFactory sslFactory, SSLContext sSLContext, SSLContext sSLContext2) throws SSLException {
            SSLConfigValidatorEngine sSLConfigValidatorEngine = new SSLConfigValidatorEngine(sslFactory, sSLContext, Mode.CLIENT);
            SSLConfigValidatorEngine sSLConfigValidatorEngine2 = new SSLConfigValidatorEngine(sslFactory, sSLContext2, Mode.SERVER);
            try {
                sSLConfigValidatorEngine.beginHandshake();
                sSLConfigValidatorEngine2.beginHandshake();
                while (true) {
                    if (sSLConfigValidatorEngine2.complete() && sSLConfigValidatorEngine.complete()) {
                        return;
                    }
                    sSLConfigValidatorEngine.handshake(sSLConfigValidatorEngine2);
                    sSLConfigValidatorEngine2.handshake(sSLConfigValidatorEngine);
                }
            } finally {
                sSLConfigValidatorEngine.close();
                sSLConfigValidatorEngine2.close();
            }
        }

        private SSLConfigValidatorEngine(SslFactory sslFactory, SSLContext sSLContext, Mode mode) {
            this.sslEngine = sslFactory.createSslEngine(sSLContext, StringLookupFactory.KEY_LOCALHOST, 0);
            this.sslEngine.setUseClientMode(mode == Mode.CLIENT);
            this.appBuffer = ByteBuffer.allocate(this.sslEngine.getSession().getApplicationBufferSize());
            this.netBuffer = ByteBuffer.allocate(this.sslEngine.getSession().getPacketBufferSize());
        }

        void beginHandshake() throws SSLException {
            this.sslEngine.beginHandshake();
        }

        void handshake(SSLConfigValidatorEngine sSLConfigValidatorEngine) throws SSLException {
            SSLEngineResult.HandshakeStatus handshakeStatus = this.sslEngine.getHandshakeStatus();
            while (true) {
                switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[handshakeStatus.ordinal()]) {
                    case 1:
                        this.handshakeResult = this.sslEngine.wrap(EMPTY_BUF, this.netBuffer);
                        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[this.handshakeResult.getStatus().ordinal()]) {
                            case 1:
                                return;
                            case 2:
                                this.netBuffer.compact();
                                this.netBuffer = Utils.ensureCapacity(this.netBuffer, this.sslEngine.getSession().getPacketBufferSize());
                                this.netBuffer.flip();
                                return;
                            case 3:
                            case 4:
                            default:
                                throw new SSLException("Unexpected handshake status: " + this.handshakeResult.getStatus());
                        }
                    case 2:
                        if (sSLConfigValidatorEngine.netBuffer.position() == 0) {
                            return;
                        }
                        sSLConfigValidatorEngine.netBuffer.flip();
                        this.handshakeResult = this.sslEngine.unwrap(sSLConfigValidatorEngine.netBuffer, this.appBuffer);
                        sSLConfigValidatorEngine.netBuffer.compact();
                        handshakeStatus = this.handshakeResult.getHandshakeStatus();
                        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[this.handshakeResult.getStatus().ordinal()]) {
                            case 1:
                                break;
                            case 2:
                                this.appBuffer = Utils.ensureCapacity(this.appBuffer, this.sslEngine.getSession().getApplicationBufferSize());
                                break;
                            case 3:
                                this.netBuffer = Utils.ensureCapacity(this.netBuffer, this.sslEngine.getSession().getPacketBufferSize());
                                break;
                            case 4:
                            default:
                                throw new SSLException("Unexpected handshake status: " + this.handshakeResult.getStatus());
                        }
                    case 3:
                        this.sslEngine.getDelegatedTask().run();
                        handshakeStatus = this.sslEngine.getHandshakeStatus();
                        break;
                    case 4:
                        return;
                    case 5:
                        if (this.handshakeResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.FINISHED) {
                            throw new SSLException("Did not finish handshake");
                        }
                        return;
                    default:
                        throw new IllegalStateException("Unexpected handshake status " + handshakeStatus);
                }
            }
        }

        boolean complete() {
            return this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED || this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
        }

        void close() {
            this.sslEngine.closeOutbound();
            try {
                this.sslEngine.closeInbound();
            } catch (Exception e) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/ssl/SslFactory$SecurityStore.class */
    public static class SecurityStore {
        private final String type;
        private final String path;
        private final Password password;
        private final Password keyPassword;
        private final Long fileLastModifiedMs;

        SecurityStore(String str, String str2, Password password, Password password2) {
            Objects.requireNonNull(str, "type must not be null");
            this.type = str;
            this.path = str2;
            this.password = password;
            this.keyPassword = password2;
            this.fileLastModifiedMs = lastModifiedMs(str2);
        }

        KeyStore load() {
            try {
                InputStream newInputStream = Files.newInputStream(Paths.get(this.path, new String[0]), new OpenOption[0]);
                Throwable th = null;
                try {
                    KeyStore keyStore = KeyStore.getInstance(this.type);
                    keyStore.load(newInputStream, this.password != null ? this.password.value().toCharArray() : null);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return keyStore;
                } catch (Throwable th3) {
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new KafkaException("Failed to load SSL keystore " + this.path + " of type " + this.type, e);
            }
        }

        private Long lastModifiedMs(String str) {
            try {
                return Long.valueOf(Files.getLastModifiedTime(Paths.get(str, new String[0]), new LinkOption[0]).toMillis());
            } catch (IOException e) {
                SslFactory.log.error("Modification time of key store could not be obtained: " + str, (Throwable) e);
                return null;
            }
        }

        boolean modified() {
            Long lastModifiedMs = lastModifiedMs(this.path);
            return (lastModifiedMs == null || Objects.equals(lastModifiedMs, this.fileLastModifiedMs)) ? false : true;
        }

        public String toString() {
            return "SecurityStore(path=" + this.path + ", modificationTime=" + (this.fileLastModifiedMs == null ? null : new Date(this.fileLastModifiedMs.longValue())) + ")";
        }
    }

    public SslFactory(Mode mode) {
        this(mode, null, false);
    }

    public SslFactory(Mode mode, String str, boolean z) {
        this.keystore = null;
        this.mode = mode;
        this.clientAuthConfigOverride = str;
        this.keystoreVerifiableUsingTruststore = z;
    }

    @Override // datahub.shaded.org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) throws KafkaException {
        this.protocol = (String) map.get(SslConfigs.SSL_PROTOCOL_CONFIG);
        this.provider = (String) map.get(SslConfigs.SSL_PROVIDER_CONFIG);
        List list = (List) map.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG);
        if (list != null && !list.isEmpty()) {
            this.cipherSuites = (String[]) list.toArray(new String[list.size()]);
        }
        List list2 = (List) map.get(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
        if (list2 != null && !list2.isEmpty()) {
            this.enabledProtocols = (String[]) list2.toArray(new String[list2.size()]);
        }
        String str = (String) map.get(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
        if (str != null) {
            this.endpointIdentification = str;
        }
        String str2 = (String) map.get(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
        if (str2 != null) {
            try {
                this.secureRandomImplementation = SecureRandom.getInstance(str2);
            } catch (GeneralSecurityException e) {
                throw new KafkaException(e);
            }
        }
        String str3 = this.clientAuthConfigOverride;
        if (str3 == null) {
            str3 = (String) map.get("ssl.client.auth");
        }
        if (str3 != null) {
            if (str3.equals(DefaultBindingErrorProcessor.MISSING_FIELD_ERROR_CODE)) {
                this.needClientAuth = true;
            } else if (str3.equals("requested")) {
                this.wantClientAuth = true;
            }
        }
        this.kmfAlgorithm = (String) map.get(SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
        this.tmfAlgorithm = (String) map.get(SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
        this.keystore = createKeystore((String) map.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
        this.truststore = createTruststore((String) map.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
        try {
            this.sslContext = createSSLContext(this.keystore, this.truststore);
            log.debug("Created SSL context with keystore {} truststore {}", this.keystore, this.truststore);
        } catch (Exception e2) {
            throw new KafkaException(e2);
        }
    }

    @Override // datahub.shaded.org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        return SslConfigs.RECONFIGURABLE_CONFIGS;
    }

    @Override // datahub.shaded.org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) {
        try {
            SecurityStore maybeCreateNewKeystore = maybeCreateNewKeystore(map);
            SecurityStore maybeCreateNewTruststore = maybeCreateNewTruststore(map);
            if (maybeCreateNewKeystore != null || maybeCreateNewTruststore != null) {
                createSSLContext(maybeCreateNewKeystore != null ? maybeCreateNewKeystore : this.keystore, maybeCreateNewTruststore != null ? maybeCreateNewTruststore : this.truststore);
            }
        } catch (Exception e) {
            log.debug("Validation of dynamic config update of SSL keystore/truststore failed", (Throwable) e);
            throw new ConfigException("Validation of dynamic config update of SSL keystore/truststore failed: " + e);
        }
    }

    @Override // datahub.shaded.org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) throws KafkaException {
        SecurityStore securityStore;
        SecurityStore maybeCreateNewKeystore = maybeCreateNewKeystore(map);
        SecurityStore maybeCreateNewTruststore = maybeCreateNewTruststore(map);
        if (maybeCreateNewKeystore == null && maybeCreateNewTruststore == null) {
            return;
        }
        if (maybeCreateNewKeystore != null) {
            securityStore = maybeCreateNewKeystore;
        } else {
            try {
                securityStore = this.keystore;
            } catch (Exception e) {
                log.debug("Reconfiguration of SSL keystore/truststore failed", (Throwable) e);
                throw new ConfigException("Reconfiguration of SSL keystore/truststore failed: " + e);
            }
        }
        SecurityStore securityStore2 = securityStore;
        SecurityStore securityStore3 = maybeCreateNewTruststore != null ? maybeCreateNewTruststore : this.truststore;
        this.sslContext = createSSLContext(securityStore2, securityStore3);
        log.info("Created new SSL context with keystore {} truststore {}", securityStore2, securityStore3);
        this.keystore = securityStore2;
        this.truststore = securityStore3;
    }

    private SecurityStore maybeCreateNewKeystore(Map<String, ?> map) {
        boolean z = false;
        if (this.keystore != null) {
            z = (Objects.equals(map.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), this.keystore.type) && Objects.equals(map.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), this.keystore.path) && Objects.equals(map.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), this.keystore.password) && Objects.equals(map.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG), this.keystore.keyPassword)) ? false : true;
            if (!z) {
                z = this.keystore.modified();
            }
        }
        if (z || this.keystore == null) {
            return createKeystore((String) map.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), (Password) map.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
        }
        return null;
    }

    private SecurityStore maybeCreateNewTruststore(Map<String, ?> map) {
        boolean z = false;
        if (this.truststore != null) {
            z = (Objects.equals(map.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), this.truststore.type) && Objects.equals(map.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), this.truststore.path) && Objects.equals(map.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG), this.truststore.password)) ? false : true;
            if (!z) {
                z = this.truststore.modified();
            }
        }
        if (z || this.truststore == null) {
            return createTruststore((String) map.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), (String) map.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), (Password) map.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
        }
        return null;
    }

    SSLContext createSSLContext(SecurityStore securityStore, SecurityStore securityStore2) throws GeneralSecurityException, IOException {
        SSLContext sSLContext = this.provider != null ? SSLContext.getInstance(this.protocol, this.provider) : SSLContext.getInstance(this.protocol);
        KeyManager[] keyManagerArr = null;
        if (securityStore != null) {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this.kmfAlgorithm != null ? this.kmfAlgorithm : KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(securityStore.load(), (securityStore.keyPassword != null ? securityStore.keyPassword : securityStore.password).value().toCharArray());
            keyManagerArr = keyManagerFactory.getKeyManagers();
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this.tmfAlgorithm != null ? this.tmfAlgorithm : TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(securityStore2 == null ? null : securityStore2.load());
        sSLContext.init(keyManagerArr, trustManagerFactory.getTrustManagers(), this.secureRandomImplementation);
        boolean z = (securityStore == null || securityStore == this.keystore) ? false : true;
        boolean z2 = (securityStore2 == null || securityStore2 == this.truststore) ? false : true;
        if (z || z2) {
            if (this.keystore == null && securityStore != null) {
                throw new ConfigException("Cannot add SSL keystore to an existing listener for which no keystore was configured.");
            }
            if (this.truststore == null && securityStore2 != null) {
                throw new ConfigException("Cannot add SSL truststore to an existing listener for which no truststore was configured.");
            }
            if (this.keystoreVerifiableUsingTruststore) {
                SSLConfigValidatorEngine.validate(this, sSLContext, this.sslContext);
                SSLConfigValidatorEngine.validate(this, this.sslContext, sSLContext);
            }
            if (z && !CertificateEntries.create(this.keystore.load()).equals(CertificateEntries.create(securityStore.load()))) {
                throw new ConfigException("Keystore DistinguishedName or SubjectAltNames do not match");
            }
        }
        return sSLContext;
    }

    public SSLEngine createSslEngine(String str, int i) {
        return createSslEngine(this.sslContext, str, i);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SSLEngine createSslEngine(SSLContext sSLContext, String str, int i) {
        SSLEngine createSSLEngine = sSLContext.createSSLEngine(str, i);
        if (this.cipherSuites != null) {
            createSSLEngine.setEnabledCipherSuites(this.cipherSuites);
        }
        if (this.enabledProtocols != null) {
            createSSLEngine.setEnabledProtocols(this.enabledProtocols);
        }
        if (this.mode == Mode.SERVER) {
            createSSLEngine.setUseClientMode(false);
            if (this.needClientAuth) {
                createSSLEngine.setNeedClientAuth(this.needClientAuth);
            } else {
                createSSLEngine.setWantClientAuth(this.wantClientAuth);
            }
        } else {
            createSSLEngine.setUseClientMode(true);
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(this.endpointIdentification);
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return createSSLEngine;
    }

    public SSLContext sslContext() {
        return this.sslContext;
    }

    private SecurityStore createKeystore(String str, String str2, Password password, Password password2) {
        if (str2 == null && password != null) {
            throw new KafkaException("SSL key store is not specified, but key store password is specified.");
        }
        if (str2 != null && password == null) {
            throw new KafkaException("SSL key store is specified, but key store password is not specified.");
        }
        if (str2 == null || password == null) {
            return null;
        }
        return new SecurityStore(str, str2, password, password2);
    }

    private SecurityStore createTruststore(String str, String str2, Password password) {
        if (str2 == null && password != null) {
            throw new KafkaException("SSL trust store is not specified, but trust store password is specified.");
        }
        if (str2 != null) {
            return new SecurityStore(str, str2, password, null);
        }
        return null;
    }
}
